SSH_AUTH_SOCK is not sanitized for eval

[cuviper]

If you run something like ssh-pageant -a "foo bar", you'll get back SSH_AUTH_SOCK=foo bar; export SSH_AUTH_SOCK;. When that's fed into eval as commonly suggested, the shell will complain bar: command not found, because the space broke up the command string.

This can be a real issue if you try to use something like $LOCALAPPDATA/foo, because Cygwin will let that Windows-style path work within ssh-pageant, but the eval will interpret backslashes in C:\Users\... as shell escapes.

It really ought to be quoted, probably single quotes with extra handling in case the path includes single quotes itself.

FWIW, ssh-agent also doesn't quote anything, but I can't think of any good reason not to.