[craigds]

shell=True is a security risk unless you're very careful with escaping inputs. In this case any filename with a `;` in it (or various other shell characters) will run arbitrary commands on the attacker's computer.

best to pass a list of arguments to subprocess rather than a string, and avoid shell=True

[tecleandor]

Ah true! I fixated on exactly the line that was marked. I guess it's not that bad because you're choosing the file to copy, but I wouldn't have used a subshell for copying a file anyway.

[sandreas]

I never understood why there even is an api for using a string...

Same for SQL statements, single quotes in a query string should generate a warning to just use prepared statements instead :-)