Hello Andreas, > I see that my patch  was overlooked and then  was written the next > day. It introduces at least 2 new code executions vulnerabilities > relating to filenames containing $(..).
Indeed, the gnulib module 'sh-quote'  can help to avoid misquoting in shell command-lines. Additionally, the gnulib module 'execute'  ensures portability to Windows, since it replaces the uses of 'fork()'. Bruno  https://www.gnu.org/software/gnulib/MODULES.html#module=sh-quote  https://www.gnu.org/software/gnulib/MODULES.html#module=execute