There are a few options with this situation, for ways of passing a
# a list broken into individual parts, can be passed with `shell=False
['cmd', 'arg1', 'arg2', ... ]
# a string with just a `cmd`, can be passed with `shell=False`
# a string with a `cmd` and `args`
# can only be passed to subprocess functions with `shell=True`
'cmd arg1 arg2 ...'
Just to follow up on mariis answer. The subprocess docs on python.org have more info on why you may want to pick one of a couple of options.
args is required for all calls and should be a string, or a sequence
of program arguments. Providing a sequence of arguments is generally
preferred, as it allows the module to take care of any required
escaping and quoting of arguments (e.g. to permit spaces in file
names). If passing a single string, either
shell must be
below) or else the string must simply name the program to be executed
without specifying any arguments.
shell=True would be OK for this, it's recommended to avoid, as changing
'df -h' to
['df', '-h'] isn't very difficult, and is a good habit to get into, only using the shell if you really need to. As the docs also add, against a red background no less:
Executing shell commands that incorporate unsanitized input from an
untrusted source makes a program vulnerable to shell injection, a
serious security flaw which can result in arbitrary command execution.
For this reason, the use of
shell=True is strongly discouraged in
cases where the command string is constructed from external input