Substituting into a shell command-line without escaping is a bad idea.
If the argument is attacker-controlled, it's a security vulnerability;
if the argument is legitimate-user-controlled (as I think it is here)
it's merely wrong.
We could escape the filename with g_shell_quote(), but it's more
straightforward to take advantage of the shell's argument processing.
The first positional parameter (if given) is $0, and the rest are $@.
Signed-off-by: Simon McVittie <smcv@debian.org>
Without this if you run as root (which is generally a poor idea) it will
extract the sources with the user/group specified on the archive, which
is never what you want when building code.