Merge branch 'cve_2019-14894-user_awesomespawn_for_runcmd' into '5.11.z'

CVE-2019-14894 fixes to `MiqUtil.runcmd` callers

See merge request cloudforms/cfme!1079

(cherry picked from commit 0c460d0)

lib/evm_database_ops.rb

@@ -17,7 +17,8 @@ def self.backup_destination_free_space(file_location)
     FileUtils.mkdir_p(parent_directory)
 
     free_space = begin
-      output = MiqUtil.runcmd("df -P #{parent_directory}")
+      cmd_args  = {:params => {:P => parent_directory}}
+      output    = MiqUtil.runcmd("df", cmd_args)
       data_line = output.split("\n")[1] if output.kind_of?(String)
       data_line.split[3].to_i * 1024 if data_line
     end

lib/miq_apache/control.rb

@@ -61,8 +61,7 @@ def self.stop
     def self.run_apache_cmd(command)
       Dir.mkdir(File.dirname(APACHE_CONTROL_LOG)) unless File.exist?(File.dirname(APACHE_CONTROL_LOG))
       begin
-        cmd = "apachectl #{command}"
-        res = MiqUtil.runcmd(cmd)
+        res = MiqUtil.runcmd("apachectl", :params => [[command]])
       rescue => err
         $log.warn("MIQ(MiqApache::Control.run_apache_cmd) Apache command #{command} with result: #{res} failed with error: #{err}") if $log
       end

lib/miq_environment.rb

@@ -70,7 +70,7 @@ def self.supports_command?(cmd)
 
       begin
         # If 'which apachectl' returns non-zero, it wasn't found
-        MiqUtil.runcmd("#{which} #{cmd}")
+        MiqUtil.runcmd(which, :params => [[cmd]])
       rescue
         false
       else