How is that dangerous? If you pipe output from a directory listing to *any* command you need to sanitize it.
That's normal if you have data that can be created by a user. The issue is known since the very beginning of Linux
- Create a malicious directory lty via dovecot
- Re: Create a malicious directory Reto via dovecot
- Re: Create a malicious directory @lbutlr via dovecot
- Re: Create a malicious directory L A Walsh via dovecot
