CString::from_vec_unchecked may not need to be `unsafe`

[huonw]

It's not obvious if one can cause memory unsafety with this function: when would an interior null be problematic?

Pointed out by @wthrowe in rust-lang/rfcs#1323 (comment).

[bluss]

The question is if we want to drop the invariant that CString is guarding (no interior nulls). thestinger claims this causes security bugs. It's certainly in the category of problem prevention rather than direct memory safety.

[alexcrichton]

The libs team discussed this during triage yesterday and the conclusion was that it is a static contract of the CString type that there are no interior nul bytes. It is considered suitable for types which provide these sorts of static contracts to use unsafe for methods that may violate this, so this fits within the conventions of the standard library.