Fix CVE-2008-0386 using patch from upstream repository.

Patch created by Makoto Fujiwara.

Bump PKGREVISION, set LICENSE.

1 files changed, 47 insertions, 0 deletions

diff --git a/misc/xdg-utils/patches/patch-aa b/misc/xdg-utils/patches/patch-aa
new file mode 100644
index 00000000000..da993821cd5
--- /dev/null
+++ b/misc/xdg-utils/patches/patch-aa
@@ -0,0 +1,47 @@
+$NetBSD: patch-aa,v 1.1 2011/04/05 09:13:43 wiz Exp $
+
+ 2008-01-24 Kevin Krammer <kevin.krammer@gmx.at>
+     * Fixing security issue in xdg-email and xdg-open at replacing
+       parameter in $BROWSER
+
+diff --git a/scripts/xdg-email b/scripts/xdg-email
+index 87f0fc0..3b07f5d 100755
+--- a/scripts/xdg-email
++++ ./scripts/xdg-email
+@@ -435,7 +435,8 @@ open_generic()
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
+@@ -495,7 +496,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "email address argument missing for --to"
+         fi
+         url_encode "$1"
+-        options="${options}to=${result}&" 
++        options="${options}to=${result}&"
+         shift
+         ;;
+ 
+@@ -531,7 +532,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "text argument missing for --body option"
+         fi
+         url_encode "$1"
+-        options="${options}body=${result}&" 
++        options="${options}body=${result}&"
+         shift
+         ;;
+ 
+@@ -575,7 +576,7 @@ done
+ 
+ if [ -z "${mailto}" ] ; then
+     # TO address is optional
+-    mailto="mailto:?"    
++    mailto="mailto:?"
+ fi
+ 
+ case $mailto in