In this case os.system is an appropriate API, because it mirrors the API of mailcap itself (that is, mailcap entries are shell commands).  I'm not convinced there is a security bug here.  It seems to me that there are two cases: either the filename is determined by the program, in which case there is no security issue, or the filename comes from an external source, and the program will have had to *write it to the file system* before the mailcap command will do anything.  So the security hole, if any, will have happened earlier in the process.Now, one can argue that the quoting should be done in order to preserve the meaning of an arbitrary filename.  Which would allay your concern even if I disagree that it is a real security bug :)(I don't understand why run-mailcap uses an alias rather than correctly quoting the meta-characters.)