SECURITY FIX for potential remote shell command execution

Details at http://bugzilla.xfce.org/show_bug.cgi?id=3383

from maintainer Landry Breuil

x11/xfce4/terminal/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.3 2007/05/28 19:53:07 steven Exp $
+# $OpenBSD: Makefile,v 1.4 2007/09/06 18:44:52 steven Exp $
 
 COMMENT=	"lightweight vte-based terminal for xfce4"
 
 V=		0.2.6
 DISTNAME=	Terminal-${V}
-PKGNAME=	terminal-${V}p0
+PKGNAME=	terminal-${V}p1
 
 HOMEPAGE=	http://www.xfce.org/projects/terminal/
 MAINTAINER=	Landry Breuil <gaston@gcu.info>

x11/xfce4/terminal/patches/patch-helpers_balsa_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_balsa_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/balsa.desktop.in.orig	Wed Sep  5 18:25:46 2007
++++ helpers/balsa.desktop.in	Wed Sep  5 18:26:06 2007
+@@ -5,4 +5,4 @@ _Name=Balsa
+ Type=Application
+ X-Terminal-Binaries=balsa
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B -m "mailto:%u"
++X-Terminal-Command=%B -m mailto:%u

x11/xfce4/terminal/patches/patch-helpers_epiphany_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_epiphany_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/epiphany.desktop.in.orig	Wed Sep  5 18:26:15 2007
++++ helpers/epiphany.desktop.in	Wed Sep  5 18:26:23 2007
+@@ -5,4 +5,4 @@ _Name=Epiphany Web Browser
+ Type=Application
+ X-Terminal-Binaries=epiphany;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B "%u"
++X-Terminal-Command=%B %u

x11/xfce4/terminal/patches/patch-helpers_evolution_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_evolution_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/evolution.desktop.in.orig	Thu Sep  6 19:25:45 2007
++++ helpers/evolution.desktop.in	Thu Sep  6 19:25:50 2007
+@@ -5,4 +5,4 @@ _Name=Novell Evolution
+ Type=Application
+ X-Terminal-Binaries=evolution-2.2;evolution-2.0;evolution-1.6;evolution-1.5;evolution-1.4;evolution;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B "mailto:%u"
++X-Terminal-Command=%B mailto:%u

x11/xfce4/terminal/patches/patch-helpers_exo-open-browser_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_exo-open-browser_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/exo-open-browser.desktop.in.orig	Wed Sep  5 18:26:34 2007
++++ helpers/exo-open-browser.desktop.in	Wed Sep  5 18:26:44 2007
+@@ -5,4 +5,4 @@ _Name=Default Web Browser (Xfce)
+ Type=Application
+ X-Terminal-Binaries=exo-open
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B --launch WebBrowser "%u"
++X-Terminal-Command=%B --launch WebBrowser %u

x11/xfce4/terminal/patches/patch-helpers_exo-open-mailer_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_exo-open-mailer_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/exo-open-mailer.desktop.in.orig	Wed Sep  5 18:27:06 2007
++++ helpers/exo-open-mailer.desktop.in	Wed Sep  5 18:27:16 2007
+@@ -5,4 +5,4 @@ _Name=Default Mail Reader (Xfce)
+ Type=Application
+ X-Terminal-Binaries=exo-open
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B --launch MailReader "%u"
++X-Terminal-Command=%B --launch MailReader %u

x11/xfce4/terminal/patches/patch-helpers_firefox_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_firefox_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/firefox.desktop.in.orig	Wed Sep  5 18:27:25 2007
++++ helpers/firefox.desktop.in	Wed Sep  5 18:27:47 2007
+@@ -5,4 +5,4 @@ _Name=Mozilla Firefox
+ Type=Application
+ X-Terminal-Binaries=firefox;firefox-gtk2;firefox-gtk;mozilla-firefox;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B -remote "openURL(%u)" || %B "%u"
++X-Terminal-Command=%B -remote openURL\(%u\) || %B %u

x11/xfce4/terminal/patches/patch-helpers_galeon_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_galeon_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/galeon.desktop.in.orig	Wed Sep  5 18:28:03 2007
++++ helpers/galeon.desktop.in	Wed Sep  5 18:28:09 2007
+@@ -5,4 +5,4 @@ _Name=Galeon Web Browser
+ Type=Application
+ X-Terminal-Binaries=galeon;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B "%u"
++X-Terminal-Command=%B %u

x11/xfce4/terminal/patches/patch-helpers_kmail_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_kmail_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/kmail.desktop.in.orig	Wed Sep  5 18:28:17 2007
++++ helpers/kmail.desktop.in	Wed Sep  5 18:28:24 2007
+@@ -5,4 +5,4 @@ _Name=KMail
+ Type=Application
+ X-Terminal-Binaries=kmail;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B "%u"
++X-Terminal-Command=%B %u

x11/xfce4/terminal/patches/patch-helpers_konqueror_desktop_in

@@ -0,0 +1,11 @@
+$OpenBSD: patch-helpers_konqueror_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/konqueror.desktop.in.orig	Wed Sep  5 18:28:32 2007
++++ helpers/konqueror.desktop.in	Wed Sep  5 18:28:40 2007
+@@ -5,6 +5,6 @@ _Name=Konqueror
+ Type=Application
+ X-Terminal-Binaries=konqueror;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B "%u"
++X-Terminal-Command=%B %u
+ 
+ 

x11/xfce4/terminal/patches/patch-helpers_lynx_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_lynx_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/lynx.desktop.in.orig	Wed Sep  5 18:28:47 2007
++++ helpers/lynx.desktop.in	Wed Sep  5 18:28:55 2007
+@@ -5,4 +5,4 @@ _Name=Lynx
+ Type=Application
+ X-Terminal-Binaries=lynx;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=Terminal -x %B "%u"
++X-Terminal-Command=Terminal -x %B %u

x11/xfce4/terminal/patches/patch-helpers_mozilla-browser_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_mozilla-browser_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/mozilla-browser.desktop.in.orig	Wed Sep  5 18:29:13 2007
++++ helpers/mozilla-browser.desktop.in	Wed Sep  5 18:29:30 2007
+@@ -5,4 +5,4 @@ _Name=Mozilla Browser
+ Type=Application
+ X-Terminal-Binaries=mozilla;mozilla-gtk2;mozilla-gtk;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B -remote "openURL(%u,new-window)" || %B "%u"
++X-Terminal-Command=%B -remote openURL\(%u,new-window\) || %B %u

x11/xfce4/terminal/patches/patch-helpers_mozilla-mailer_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_mozilla-mailer_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/mozilla-mailer.desktop.in.orig	Wed Sep  5 18:29:38 2007
++++ helpers/mozilla-mailer.desktop.in	Wed Sep  5 18:29:57 2007
+@@ -5,4 +5,4 @@ _Name=Mozilla Mail
+ Type=Application
+ X-Terminal-Binaries=mozilla;mozilla-gtk2;mozilla-gtk;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B -remote "mailto(%u)" || %B -compose "mailto:%u"
++X-Terminal-Command=%B -remote mailto\(%u\) || %B -compose mailto:%u

x11/xfce4/terminal/patches/patch-helpers_mutt_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_mutt_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/mutt.desktop.in.orig	Wed Sep  5 18:30:02 2007
++++ helpers/mutt.desktop.in	Wed Sep  5 18:30:09 2007
+@@ -5,4 +5,4 @@ _Name=Mutt
+ Type=Application
+ X-Terminal-Binaries=mutt;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=Terminal -x %B "%u"
++X-Terminal-Command=Terminal -x %B %u

x11/xfce4/terminal/patches/patch-helpers_opera-browser_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_opera-browser_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/opera-browser.desktop.in.orig	Wed Sep  5 18:30:16 2007
++++ helpers/opera-browser.desktop.in	Wed Sep  5 18:30:38 2007
+@@ -5,4 +5,4 @@ _Name=Opera Browser
+ Type=Application
+ X-Terminal-Binaries=opera;
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B -remote "openURL(%u,new-window)" || %B "%u"
++X-Terminal-Command=%B -remote openURL\(%u,new-window\) || %B %u

x11/xfce4/terminal/patches/patch-helpers_opera-mailer_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_opera-mailer_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/opera-mailer.desktop.in.orig	Wed Sep  5 18:30:49 2007
++++ helpers/opera-mailer.desktop.in	Wed Sep  5 18:31:06 2007
+@@ -5,4 +5,4 @@ _Name=Opera Mail
+ Type=Application
+ X-Terminal-Binaries=opera;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B -remote "openURL(mailto:%u)" || %B "mailto:%u"
++X-Terminal-Command=%B -remote openURL\(mailto:%u\) || %B mailto:%u

x11/xfce4/terminal/patches/patch-helpers_sensible-browser_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_sensible-browser_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/sensible-browser.desktop.in.orig	Wed Sep  5 18:31:14 2007
++++ helpers/sensible-browser.desktop.in	Wed Sep  5 18:31:22 2007
+@@ -5,4 +5,4 @@ _Name=Debian Sensible Browser
+ Type=Application
+ X-Terminal-Binaries=sensible-browser
+ X-Terminal-Category=WebBrowser
+-X-Terminal-Command=%B "%u"
++X-Terminal-Command=%B %u

x11/xfce4/terminal/patches/patch-helpers_sylpheed-claws_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_sylpheed-claws_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/sylpheed-claws.desktop.in.orig	Wed Sep  5 18:31:31 2007
++++ helpers/sylpheed-claws.desktop.in	Wed Sep  5 18:31:39 2007
+@@ -7,4 +7,4 @@ Type=Application
+ StartupNotify=true
+ X-Terminal-Binaries=sylpheed-claws;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B --compose "%u"
++X-Terminal-Command=%B --compose %u

x11/xfce4/terminal/patches/patch-helpers_thunderbird_desktop_in

@@ -0,0 +1,9 @@
+$OpenBSD: patch-helpers_thunderbird_desktop_in,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- helpers/thunderbird.desktop.in.orig	Wed Sep  5 18:31:48 2007
++++ helpers/thunderbird.desktop.in	Wed Sep  5 18:32:04 2007
+@@ -5,4 +5,4 @@ _Name=Mozilla Thunderbird
+ Type=Application
+ X-Terminal-Binaries=thunderbird;thunderbird-gtk2;thunderbird-gtk;mozilla-thunderbird;
+ X-Terminal-Category=MailReader
+-X-Terminal-Command=%B -remote "mailto(%u)" || %B -compose "mailto:%u"
++X-Terminal-Command=%B -remote mailto\(%u\) || %B -compose mailto:%u

x11/xfce4/terminal/patches/patch-terminal_terminal-helper_c

@@ -0,0 +1,44 @@
+$OpenBSD: patch-terminal_terminal-helper_c,v 1.1 2007/09/06 18:44:52 steven Exp $
+--- terminal/terminal-helper.c.orig	Wed Sep  5 18:32:23 2007
++++ terminal/terminal-helper.c	Wed Sep  5 18:34:30 2007
+@@ -349,6 +349,8 @@ terminal_helper_execute (TerminalHelper *helper,
+   gchar       *argv[4];
+   gchar       *command;
+   gchar       *t;
++  gchar       *escaped;
++  gchar       **parts;
+   guint        n;
+ 
+   g_return_if_fail (TERMINAL_IS_HELPER (helper));
+@@ -359,6 +361,10 @@ terminal_helper_execute (TerminalHelper *helper,
+     if (s[0] == '%' && g_ascii_tolower (s[1]) == 'u')
+       ++n;
+ 
++  parts = g_strsplit (uri, "$", 0);
++  escaped = g_shell_quote (g_strjoinv("\$", parts));
++  g_strfreev (parts);
++
+   if (n > 0)
+     {
+       command = g_new (gchar, strlen (helper->command) + n * strlen (uri) + 1);
+@@ -366,7 +372,7 @@ terminal_helper_execute (TerminalHelper *helper,
+         {
+           if (s[0] == '%' && g_ascii_tolower (s[1]) == 'u')
+             {
+-              for (u = uri; *u != '\0'; )
++              for (u = escaped; *u != '\0'; )
+                 *t++ = *u++;
+               s += 2;
+             }
+@@ -379,8 +385,10 @@ terminal_helper_execute (TerminalHelper *helper,
+     }
+   else
+     {
+-      command = g_strconcat (helper->command, " ", uri, NULL);
++      command = g_strconcat (helper->command, " ", escaped, NULL);
+     }
++
++  g_free (escaped);
+ 
+   argv[0] = "/bin/sh";
+   argv[1] = "-c";