From a03c2d9b2faff5dca000d54f06738c0097e70864 Mon Sep 17 00:00:00 2001 From: wiz Date: Tue, 5 Apr 2011 09:13:42 +0000 Subject: Fix CVE-2008-0386 using patch from upstream repository. Patch created by Makoto Fujiwara. Bump PKGREVISION, set LICENSE. --- misc/xdg-utils/patches/patch-aa | 47 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 misc/xdg-utils/patches/patch-aa (limited to 'misc/xdg-utils/patches/patch-aa') diff --git a/misc/xdg-utils/patches/patch-aa b/misc/xdg-utils/patches/patch-aa new file mode 100644 index 00000000000..da993821cd5 --- /dev/null +++ b/misc/xdg-utils/patches/patch-aa @@ -0,0 +1,47 @@ +$NetBSD: patch-aa,v 1.1 2011/04/05 09:13:43 wiz Exp $ + + 2008-01-24 Kevin Krammer + * Fixing security issue in xdg-email and xdg-open at replacing + parameter in $BROWSER + +diff --git a/scripts/xdg-email b/scripts/xdg-email +index 87f0fc0..3b07f5d 100755 +--- a/scripts/xdg-email ++++ ./scripts/xdg-email +@@ -435,7 +435,8 @@ open_generic() + for browser in $BROWSER; do + if [ x"$browser" != x"" ]; then + +- browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` ++ IFS=' ' ++ browser_with_arg=${browser//'%s'/"$1"} + + if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; + else $browser_with_arg; +@@ -495,7 +496,7 @@ while [ $# -gt 0 ] ; do + exit_failure_syntax "email address argument missing for --to" + fi + url_encode "$1" +- options="${options}to=${result}&" ++ options="${options}to=${result}&" + shift + ;; + +@@ -531,7 +532,7 @@ while [ $# -gt 0 ] ; do + exit_failure_syntax "text argument missing for --body option" + fi + url_encode "$1" +- options="${options}body=${result}&" ++ options="${options}body=${result}&" + shift + ;; + +@@ -575,7 +576,7 @@ done + + if [ -z "${mailto}" ] ; then + # TO address is optional +- mailto="mailto:?" ++ mailto="mailto:?" + fi + + case $mailto in -- cgit v1.2.3