Protect against shell meta characters in file names when running filter.

Based on a Gentoo fix found by robert@

x11/xloadimage/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.26 2004/12/17 15:03:18 alek Exp $
+# $OpenBSD: Makefile,v 1.27 2005/03/06 01:31:10 naddy Exp $
 
 COMMENT=	"graphics file viewer for X11"
 
@@ -6,7 +6,7 @@ VERSION=	4.1
 REVISION=	14	# Debian
 
 DISTNAME=	xloadimage.${VERSION}
-PKGNAME=	xloadimage-${VERSION}.${REVISION}
+PKGNAME=	xloadimage-${VERSION}.${REVISION}p0
 CATEGORIES=	x11 graphics
 
 MAINTAINER=	Christian Weisgerber <naddy@openbsd.org>

x11/xloadimage/patches/patch-zio_c

@@ -0,0 +1,35 @@
+$OpenBSD: patch-zio_c,v 1.1 2005/03/06 01:31:11 naddy Exp $
+--- zio.c.orig	Sat Mar  5 21:32:19 2005
++++ zio.c	Sat Mar  5 21:41:06 2005
+@@ -210,9 +210,30 @@ ZFILE *zopen(name)
+     if ((strlen(name) > strlen(filter->extension)) &&
+ 	!strcmp(filter->extension,
+ 		name + (strlen(name) - strlen(filter->extension)))) {
++      char *fname, *t, *s;
++
++      /* meta-char protection
++       *
++       * protect in single quotes, replacing single quotes
++       * with '\'', so worst-case expansion is 4x
++       */
++
++      s = fname = (char *)lmalloc(1 + (4 * strlen(name)) + 1 + 1);
++      *s++ = '\'';
++      for (t = name; *t; t++) {
++	if (*t == '\'') {
++	  /* 'foo'bar' -> 'foo'\''bar' */
++	  *s++ = '\''; *s++ = '\\'; *s++ = '\''; *s++ = '\'';
++	}
++	else {
++	  *s++ = *t;
++	}
++      }
++      *s++ = '\'';
++      *s++ = '\0';
+       debug(("Filtering image through '%s'\n", filter->filter));
+       zf->type= ZPIPE;
+-      sprintf(buf, "%s %s", filter->filter, name);
++      sprintf(buf, "%s %s", filter->filter, fname);
+       if (! (zf->stream= popen(buf, "r"))) {
+ 	lfree((byte *)zf->filename);
+ 	zf->filename= NULL;