More securely quote $BB_FILES

bin/blackbox_register_new_file

@@ -46,6 +46,8 @@ if $SECRETSEXPOSED ; then
   COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
 else
   COMMIT_FILES="$BB_FILES $encrypted_file"
+  # FIXME(tal): This should be an array so that filenames with
+  # spaces aren't a problem.
 fi
 
 # TODO(tlim): This should be moved to _blackbox_common.sh in a
@@ -61,7 +63,7 @@ if [[ $VCS_TYPE = 'git' ]]; then
 fi
 
 echo 'NOTE: "already tracked!" messages are safe to ignore.'
-vcs_add $BB_FILES $encrypted_file
+vcs_add "$BB_FILES" $encrypted_file
 vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
 echo "========== UPDATING VCS: DONE"
 echo "Local repo updated.  Please push when ready."

bin/blackbox_shred_all_files

@@ -22,7 +22,7 @@ source ${blackbox_home}/_blackbox_common.sh
 change_to_root
 
 echo '========== FILES BEING SHREDDED:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then

bin/blackbox_update_all_files

@@ -23,7 +23,7 @@ awk <"$BB_FILES" '{ print "    " $1 ".gpg" }'
 
 echo '========== FILES IN THE WAY:'
 need_warning=false
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then
@@ -40,7 +40,7 @@ else
 fi
 
 echo '========== RE-ENCRYPTING FILES:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   echo ========== PROCESSING "$unencrypted_file"
@@ -53,7 +53,7 @@ done
 fail_if_keychain_has_secrets
 
 echo '========== COMMITING TO VCS:'
-vcs_commit 'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
+vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' )
 
 VCSCMD=$(which_vcs)
 echo '========== DONE.'