Hello Andreas, > I see that my patch [1] was overlooked and then [2] was written the next > day. It introduces at least 2 new code executions vulnerabilities > relating to filenames containing $(..).
Indeed, the gnulib module 'sh-quote' [1] can help to avoid misquoting in shell command-lines. Additionally, the gnulib module 'execute' [2] ensures portability to Windows, since it replaces the uses of 'fork()'. Bruno [1] https://www.gnu.org/software/gnulib/MODULES.html#module=sh-quote [2] https://www.gnu.org/software/gnulib/MODULES.html#module=execute
