Deprecate str_shell_escape, add safe_shell_quote replacement

scripts/base/utils/active-http.bro

@@ -57,10 +57,10 @@ export {
 
 function request2curl(r: Request, bodyfile: string, headersfile: string): string
 	{
-	local cmd = fmt("curl -s -g -o \"%s\" -D \"%s\" -X \"%s\"",
-	                str_shell_escape(bodyfile),
-	                str_shell_escape(headersfile),
-	                str_shell_escape(r$method));
+	local cmd = fmt("curl -s -g -o %s -D %s -X %s",
+	                safe_shell_quote(bodyfile),
+	                safe_shell_quote(headersfile),
+	                safe_shell_quote(r$method));
 
 	cmd = fmt("%s -m %.0f", cmd, r$max_time);
 
@@ -70,9 +70,9 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string
 	if ( r?$addl_curl_args )
 		cmd = fmt("%s %s", cmd, r$addl_curl_args);
 
-	cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url));
+	cmd = fmt("%s %s", cmd, safe_shell_quote(r$url));
 	# Make sure file will exist even if curl did not write one.
-	cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile));
+	cmd = fmt("%s && touch %s", cmd, safe_shell_quote(bodyfile));
 	return cmd;
 	}
 

scripts/base/utils/dir.bro

@@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string],
                       callback: function(fname: string),
                       poll_interval: interval)
 	{
-	when ( local result = Exec::run([$cmd=fmt("ls -1 \"%s/\"", str_shell_escape(dir))]) )
+	when ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) )
 		{
 		if ( result$exit_code != 0 )
 			{

scripts/base/utils/exec.bro

@@ -8,7 +8,7 @@ export {
 	type Command: record {
 		## The command line to execute.  Use care to avoid injection
 		## attacks (i.e., if the command uses untrusted/variable data,
-		## sanitize it with :bro:see:`str_shell_escape`).
+		## sanitize it with :bro:see:`safe_shell_quote`).
 		cmd:         string;
 		## Provide standard input to the program as a string.
 		stdin:       string      &default="";
@@ -122,7 +122,7 @@ event Input::end_of_data(orig_name: string, source:string)
 		delete pending_files[name][track_file];
 		if ( |pending_files[name]| == 0 )
 			delete pending_commands[name];
-		system(fmt("rm \"%s\"", str_shell_escape(track_file)));
+		system(fmt("rm %s", safe_shell_quote(track_file)));
 		}
 	}
 
@@ -191,5 +191,5 @@ event bro_done()
 	# We are punting here and just deleting any unprocessed files.
 	for ( uid in pending_files )
 		for ( fname in pending_files[uid] )
-			system(fmt("rm \"%s\"", str_shell_escape(fname)));
+			system(fmt("rm %s", safe_shell_quote(fname)));
 	}