[makeotf] bash code in style name is executed

[frankrolf]

This is another obscure one:
There was an instance where a student back-ticked their style name:

Exercise3-`Semibold`

As a result, I noticed that makeotf seems to execute code in the style name while trying to compile the font:

makeotf [Note] Using features file at './features.fea'.
/bin/sh: Semibold: command not found
makeotfexe [WARNING] not in FontMenuNameDB [Exercise3-`Semibold`]
makeotfexe [FATAL] <Exercise3-`Semibold`> I can't find a Family name for this font !
makeotf [Error] Failed to build output font file 'Exercise3-`Semibold`.otf'.

I was curious what would happen if I set the style name of an UFO to a real bash command, and indeed it works:

		<key>postscriptFontName</key>
		<string>Exercise3-`ls`</string>

makeotf [Note] Using features file at './features.fea'.
makeotfexe [WARNING] not in FontMenuNameDB [Exercise3-`ls`]
makeotfexe [FATAL] file error <File name too long> [Exercise3-Exercise3-.otf
Exercise3-Exercise3-features.fea
font.ufo
fontinfo
kern.fea
mark.fea
markclasses.fea
mkmk.fea.otf
features.fea
font.ufo
fontinfo
kern.fea
mark.fea
markclasses.fea
mkmk.fea.otf
Exercise3-features.fea
makeotf [Error] Failed to build output font file 'Exercise3-`ls`.otf'.

I did not figure out how to include spaces, otherwise I’d have tried

Exercise3-`rm -r font.ufo`

I am not sure how much of a real-world issue this is, but it seems a bit odd it’s possible for commands being executed this way.