e107: Command Injection via shell expansion in ImageMagick resize destination path

An authenticated non-admin user submits a news item whose title contains a shell command substitution payload (e.g., `$(cmd)` or backticks) with a tab character in place of a space. The title filter strips literal spaces but leaves tabs intact, and the first six characters of the title become part of the destination filename in the ImageMagick `convert` command. Because the destination path is only double-quoted (not shell-escaped), `/bin/sh -c` evaluates the embedded command substitution. The attack requires four non-default settings: `resize_method=ImageMagick`, `subnews_attach=1`, `upload_enabled=1`, and `subnews_resize` set to a numeric value between 30 and 5000, plus the attacker must belong to a member class permitted by both `subnews_class` and `upload_class` [ref_id=2].

The vulnerability resides in `resize_handler.php` where the ImageMagick `convert` command is built: the source path is escaped with `escapeshellarg()` but the destination path is inserted inside raw double quotes (`"..."`), allowing shell command substitution. In `submitnews.php`, the destination filename includes the first six characters of the user-controlled news title, which is filtered only by `str_replace(" ", "_", ...)` — tab characters (0x09) survive and act as shell IFS separators, enabling injection of `$(...)` or backtick payloads.

The patch applies `escapeshellarg()` to the destination filename in `resize_handler.php`, preventing shell metacharacters from being interpreted by `/bin/sh -c`. Additionally, `submitnews.php` now confines the title slug to `[A-Za-z0-9_]` before it reaches `resize_image()`, so shell metacharacters are stripped even if a future caller relaxes the quoting. The integer geometry and quality arguments are also cast to integers [ref_id=1].