luci-app-lxc: fix authenticated path traversal and ACL bypass (host root)

luci-app-lxc: fix authenticated path traversal and ACL bypass (host root)

* ucode fixes:
  - tighten `is_valid_lxc_name` regex to `^[A-Za-z0-9_][A-Za-z0-9_-]{0,63}$`
  - apply the validator in `lxc_configuration_get` and `lxc_configuration_set` before any filesystem access
  - reject the `'lxc error: …'` sentinel string returned by `lxc_get_config_path()` on failure,
    rather than concatenating it into a path.
  - shellquote `LXC_URL` in `lxc_get_downloadable` and `lxc_create`
* ACL fix: add `depends.acl = ["luci-app-lxc"]` to each of the five backend entries,
   so the routes share the same authorization gate as the view

Signed-off-by: Dirk Brenken <redacted>