Use %COMSPEC% not "cmd" to prevent hijacking. Fixes #5254

[JamesParrott]

Security:

• Security fix for vulnerability on Windows; Xonsh will no longer execute default cmd commands†
  using a malicious "cmd.bat" file in the current directory.

† cls, copy, del, dir, echo, erase, md, mkdir, mklink, move, rd, ren, rename, rmdir, time, type, & vol

#issuenumber 5254

[github-actions]

Warning! No news item is found for this PR.
If this is an user facing change/feature/fix, please add a news item by copying the format from news/TEMPLATE.rst.

[JamesParrott]

FYI: https://ss64.com/nt/syntax-variables.html
https://en.wikipedia.org/wiki/COMSPEC

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (e3a6dcf) 67.15% compared to head (387f81a) 67.12%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5255      +/-   ##
==========================================
- Coverage   67.15%   67.12%   -0.04%     
==========================================
  Files         119      119              
  Lines       23124    23124              
  Branches     4855     4855              
==========================================
- Hits        15530    15522       -8     
- Misses       6389     6398       +9     
+ Partials     1205     1204       -1     

Flag	Coverage Δ
macOS-latest	64.43% <0.00%> (-0.02%)	⬇️
ubuntu-latest	64.72% <0.00%> (-0.04%)	⬇️
windows-latest	63.09% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jnoortheen]

This LGTM! any thoughts @anki-code @gforsyth ?

[gforsyth]

I'll cut a release.