Comment 32 for bug 2056372

Thinking more about this, wouldn't invoking /bin/bash actually increase the attack potential, by allowing for backticks and $() to execute via user-supplied data?

Also, it's not clear to me that ${quote} escapes backticks or $().