use Win32::ShellQuote for kpsewhich

[xworld21]

Better fix for #2293: after adding some Windows-specific escaping, kpsewhich can be called with arbitrary file names, even with special characters, and so pathname_is_nasty can be removed altogether. This supersedes #2295, #2294.

The if (open(my $resfh, '-|', ...)) block can definitely be useful elsewhere. In Util::Pathname, there are two backticks left, and there are a few other not-quite-safe system calls in other modules. However, @brucemiller @dginev you should decide if and how to make that happen, e.g. a new Util module maybe?

[xworld21]

It's great you took the effort to make sure escaping works correctly in Windows - much appreciated!

Side note: it is impossible to escape arguments 100% correctly on Windows, because each binary is responsible for parsing its own command line and while most adopt the same scheme, Cygwin, MSYS2, etc sometimes do things differently, or so I hear. When it comes to kpsewhich, I understand that both MikTeX and TeX Live are built with Visual Studio, so they should be using CommandLineToArgvW under the hood. Hence Win32::ShellQuote is the correct choice for them. With Cygwin, LaTeXML is already 100% broken so let's not think about it.

The important thing is that the -| pattern with a list of arguments is guaranteed to execute the binary directly, with no risk of creating pipes, redirections, etc. so it is safe in all settings. Well, unless you know how to exploit kpsewhich (the Cygwin one!) with a weird command line argument...