python: Replace os.system with subprocess.call.

Generally, we avoid os.system, since it shells out and thus can be
a cause of security issues.

tools/check-css

@@ -3,9 +3,9 @@ from __future__ import absolute_import
 from __future__ import print_function
 from lib.css_parser import parse, CssParserException
 from typing import Iterable, Text
-import os
 import sys
 import glob
+import subprocess
 
 # check for the venv
 from lib import sanity_check
@@ -18,7 +18,7 @@ def validate(fn):
     if text != section_list.text():
         print('%s seems to be broken:' % (fn,))
         open('/var/tmp/pretty_css.txt', 'w').write(section_list.text())
-        os.system('diff %s /var/tmp/pretty_css.txt' % (fn,))
+        subprocess.call(['diff', fn, '/var/tmp/pretty_css.txt'], stderr=subprocess.STDOUT)
         sys.exit(1)
 
 def check_our_files(filenames):

tools/lib/pretty_print.py

@@ -9,7 +9,7 @@ from .template_parser import (
     is_django_block_tag,
 )
 from six.moves import range
-import os
+import subprocess
 
 def pretty_print_html(html, num_spaces=4):
     # type: (str, int) -> str
@@ -181,6 +181,6 @@ def validate_indent_html(fn):
         temp_file.write(phtml)
         temp_file.close()
         print('Invalid Indentation detected in file: %s\nDiff for the file against expected indented file:' % (fn))
-        os.system('diff %s %s' % (fn, '/var/tmp/pretty_html.txt'))
+        subprocess.call(['diff', fn, '/var/tmp/pretty_html.txt'], stderr=subprocess.STDOUT)
         return 0
     return 1

tools/print-all/print-all

@@ -4,6 +4,7 @@ import sh
 import os
 import re
 import sys
+import subprocess
 
 from typing import Iterable
 
@@ -54,7 +55,7 @@ try:
     sh.git('diff-index', '--cached', '--quiet', 'HEAD')
 except sh.ErrorReturnCode:
     sys.stderr.write('Your Git repository is not clean!\n\n')
-    os.system('git status')  # output to terminal
+    subprocess.call(['git', 'status'], stderr=subprocess.STDOUT)  # output to terminal
     sys.exit(1)
 
 with open('tools/print-all/tex/preamble.tex', 'w') as f: