shlex

The Rust shlex crate has a security blind spot: versions prior to 1.2.1 allowed the characters { and the non‑breaking space (0xA0) to appear unquoted in quoted arguments, which can turn a single intended argument into multiple tokens when that output is passed to a shell — a condition that can...