doctor.rb in rubygems-update-3.2.33

- old
+ new

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
 require "rbconfig"
+require "shellwords"
 
 module Bundler
   class CLI::Doctor
     DARWIN_REGEX = /\s+(.+) \(compatibility /.freeze
     LDD_REGEX = /\t\S+ => (\S+) \(\S+\)/.freeze
@@ -20,17 +21,17 @@
     def ldd_available?
       Bundler.which("ldd")
     end
 
     def dylibs_darwin(path)
-      output = `/usr/bin/otool -L "#{path}"`.chomp
+      output = `/usr/bin/otool -L #{path.shellescape}`.chomp
       dylibs = output.split("\n")[1..-1].map {|l| l.match(DARWIN_REGEX).captures[0] }.uniq
       # ignore @rpath and friends
       dylibs.reject {|dylib| dylib.start_with? "@" }
     end
 
     def dylibs_ldd(path)
-      output = `/usr/bin/ldd "#{path}"`.chomp
+      output = `/usr/bin/ldd #{path.shellescape}`.chomp
       output.split("\n").map do |l|
         match = l.match(LDD_REGEX)
         next if match.nil?
         match.captures[0]
       end.compact