Security of Java takes a dangerous turn for the worse, experts say (ars technica)

Here's a stupid anecdote against Python I ran into recently. Last thursday, I thought to write a little TCP server in Python. Unix command output was to be sent over tcp socket. It boiled down to something like this:

>>> import subprocess, gzip; subprocess.Popen(args="/bin/ls", stdout=gzip.GzipFile("testfile", "wb")).communicate()
(None, None)

The intent of code is hopefully clear. I should have a gzipped output 'testfile' of the command of /bin/ls. Unfortunately to me, Popen() calls fileno() on GzipFile and steals the handle from it, and writes uncompressed data bracketed by gzip gunk for 0-byte file. So, GzipFile shouldn't implement fileno(), or someone shouldn't play fast and loose with Popen and should rather read from the stdout/stderr pipes during communicate() and use the correct abstraction of file.write to write when a file object is passed in.

At least java's abstractions generally work correctly...