Comment 4 for bug 445714

Can the user or third party ever control the file name argument? Things like

  + status, output = commands.getstatusoutput("gunzip %s" % localPath)

are never robust, since localPath could contain spaces, or worse, semicolons and other shell commands. That's why Python has an excellent subprocess module, which avoids intermediate shells, and still makes it comfortable to capture status and stdout/err.