question about the safety of os.popen()

[Brian Raynes]

I'm writing a simple module that, in part, sends an email.
>From various examples, I use the following line to start
sendmail, then I use the write method of the resulting mail
object to send the header and body text, then mail.close().

mail = os.popen("/usr/sbin/sendmail -t", "w")

I believe that this method of using os.popen() is relatively
safe since it does not pass any user input directly to the
shell.  All the examples I can find concerning security are
written in perl, but this statement seems to differ from the
dangerous examples because it does not include any user
input on the command line.  If I understand what os.popen()
is doing, this is opening a pipe directly to sendmail, so
that stuff sent via the .write() method does not go to the
shell, but to sendmail.  It is my understanding that this is
safer - most warnings about CGI security warn against
allowing user input to be sent to the shell.  

Am I doing the safe thing in regards to not sending input to
the shell?
Is there a better way to accomplish this?

I realize there are also security concerns with stuff sent
to sendmail, but the information on what to look for there
is more available and more appropriate in a sendmail
discussion than a Python one.

I'm still pretty new, but I've gone through the vast
majority of "Learning Python" and have read about popen() in
the Library Reference.  I don't know C, or else I would look
and understand exactly what's happening from the source
code.


Brian Raynes