Do feel welcome to propose your changes to the Python Community for 3.7

Regarding the enforcement of separating command line tokens within OS.call: IIRC it is a default security feature that can be disabled through an optional argument. For instance, a webpage uses Javascript to sanitize user input which is piped to the Python backend and executed with OS.call. The user is supposed to just enter a domain to NSLOOKUP but instead they disable the Javascript and send ‘google.com;echo /etc/passwd’ in order to get a list of system users and begin a brute force attack. Thankfully this is prevented by the default security measure. If disabled, you can simply pass a string as the call parameter in the manner you described.