fix(exec): properly handles paths with spaces and quotes

[nfischer]

This fixes #17. This is based off #263, but it also escapes quotes in the path.

The issue comes from the fact that exec() executes a script created in the temporary directory. On unix systems, this is usually /tmp/, which has no unusual characters in the name. Windows users usually have a temporary directory that is a subdirectory of their home folder (which has their username as part of the path). Therefore, Windows users with usernames containing either a space or a " couldn't use exec() properly.

This now properly surrounds the strings with quotes, and escapes any quote characters inside for security, preventing scenarios, such as creating a directory named /tmp"; echo hijacked; echo " (perhaps $TMP is modified to point there, and this is chosen as the temporary directory). echo hijacked represents an arbitrary command. As it's currently implemented, #263 is still susceptible.

[nfischer]

@ariporad since this is built off of #263, let's wait to see if that PR gets updated in a few days.

[nfischer]

@ariporad Looks like #263 was closed in favor of this, so I think this is ready for review now

[ariporad]

@nfischer: Can we add a test for this? (If possible), otherwise, LGTM!

[nfischer]

@ariporad It might be difficult to test it as-is, since it involves creating a directory with that name and mocking tempdir() to return the insecure name. I tested this on my Ubuntu machine and it handled it well.

If you can think of a unit test however, feel free to add it. I just couldn't think of anything.

[nfischer]

I'm going to merge this now. If we can think of any tests for this, we can add them later on.