[common] Prevent command execution in ExpandPathVariables (#87)

Command execution is not something users would expect. Even though
there is no security issue (right now), it's probably better to turn
it off.

common/path.cc

@@ -219,9 +219,12 @@ absl::Status ExpandPathVariables(std::string* path) {
   *path = Util::WideToUtf8Str(wchar_expanded);
   return absl::OkStatus();
 #else
+  // Exclude command substitution. It.s not what users of this method would
+  // expect and could lead to security issues.
   wordexp_t res;
-  wordexp(path->c_str(), &res, 0);
+  wordexp(path->c_str(), &res, WRDE_NOCMD);
   if (res.we_wordc > 1) {
+    wordfree(&res);
     return absl::InvalidArgumentError(
         "Path expands to multiple results (did you use * etc. ?");
   }

common/path.h

@@ -104,8 +104,8 @@ absl::Status GetKnownFolderPath(FolderId folder_id, std::string* path);
 // Expands environment path variables like %APPDATA% on Windows or ~ on Linux.
 // On Windows, variables are matched case invariantly. Unknown environment
 // variables are not changed.
-// On Linux, performs a shell-like expansion. Returns an error if multiple
+// On Linux, performs a shell-like expansion, but without command substitution.
-// results would be returned, e.g. from *.txt.
+// Returns an error if multiple results would be returned, e.g. from *.txt.
 absl::Status ExpandPathVariables(std::string* path);
 
 // Returns the environment variable with given |name| in |value|.