Description: Collected Debian patches for xdg-utils
Author: Nicholas Guriev <guriev-ns@ya.ru>

The xdg-utils package is maintained in Git rather than maintaining
patches as separate files, and separating the patches doesn't seem to
be worth the effort.  They are therefore all included in this single
Debian patch.

For full commit history and separated commits, see the packaging Git
repository.

---

Index: xdg-utils-1.1.3/autotests/t-xdg-open.sh
===================================================================
Index: xdg-utils-1.1.3/scripts/xdg-email.in
===================================================================
Index: xdg-utils-1.1.3/scripts/xdg-mime.in
===================================================================
Index: xdg-utils-1.1.3/scripts/xdg-open.in
===================================================================
Index: xdg-utils-1.1.3/scripts/xdg-screensaver.in
===================================================================
Index: xdg-utils-1.1.3/scripts/xdg-utils-common.in
===================================================================
--- xdg-utils-1.1.3.orig/autotests/t-xdg-open.sh
+++ xdg-utils-1.1.3/autotests/t-xdg-open.sh
@@ -129,13 +129,6 @@ mock_desktop_file mosaic %u
 mock_default_app x-scheme-handler/http mosaic
 test_open_url generic mosaic
 
-test_that_it always uses \$BROWSER if set in generic mode
-BROWSER=cyberdog
-mock_desktop_file mosaic %u
-mock_default_app x-scheme-handler/http mosaic
-mock mosaic
-test_open_url generic cyberdog
-
 test_that_it works with multi-word \$BROWSER commands
 BROWSER="cyberdog --url %s"
 test_open_url generic cyberdog --url
@@ -146,6 +139,15 @@ mock cyberdog
 BROWSER="cyberdog --url %s"
 run generic xdg-open 'http://www.freedesktop.org/; echo BUSTED'
 assert_run cyberdog --url 'http://www.freedesktop.org/; echo BUSTED'
+unmock cyberdog
+
+test_that_it is not vulnerable to argument injection in URLs when using \
+             \$BROWSER in generic mode
+mock cyberdog
+BROWSER="cyberdog --url %s"
+run generic xdg-open 'http://www.freedesktop.org/   --evil-option'
+assert_run cyberdog --url 'http://www.freedesktop.org/   --evil-option'
+unmock cyberdog
 
 test_that_it opens files in generic mode
 test_generic_open_file test.txt
--- xdg-utils-1.1.3.orig/scripts/xdg-email.in
+++ xdg-utils-1.1.3/scripts/xdg-email.in
@@ -91,13 +91,13 @@ open_kde()
     fi
 
     if which $kreadconfig >/dev/null 2>&1; then
-        local profile=$($kreadconfig --file emaildefaults \
-                                     --group Defaults --key Profile)
+        local profile="$($kreadconfig --file emaildefaults \
+                                      --group Defaults --key Profile)"
         if [ -n "$profile" ]; then
-            local client=$($kreadconfig --file emaildefaults \
-                                        --group "PROFILE_$profile" \
-                                        --key EmailClient \
-                                  | cut -d ' ' -f 1)
+            local client="$($kreadconfig --file emaildefaults \
+                                         --group "PROFILE_$profile" \
+                                         --key EmailClient \
+                                  | cut -d ' ' -f 1)"
 
             if echo "$client" | grep -Eq 'thunderbird|icedove'; then
                 run_thunderbird "$client" "$1"
@@ -472,7 +472,7 @@ case "$DE" in
     open_gnome "${mailto}"
     ;;
 
-    gnome3|cinnamon|lxde|mate)
+    gnome3|cinnamon|lxde|mate|deepin)
     open_gnome3 "${mailto}"
     ;;
 
--- xdg-utils-1.1.3.orig/scripts/xdg-mime.in
+++ xdg-utils-1.1.3/scripts/xdg-mime.in
@@ -247,6 +247,7 @@ make_default_generic()
     default_file="$xdg_config_home/mimeapps.list"
     DEBUG 2 "make_default_generic $1 $2"
     DEBUG 1 "Updating $default_file"
+    [ -d "$xdg_config_home" ] || mkdir -p "$xdg_config_home"
     [ -f "$default_file" ] || touch "$default_file"
     awk -v mimetype="$2" -v application="$1" '
     BEGIN {
@@ -305,7 +306,7 @@ search_desktop_file()
 
     grep -l "$MIME;" "$dir/"*.desktop 2>/dev/null
 
-    for f in $dir/*/; do
+    for f in "$dir/"*/; do
       [ -d "$f" ] && search_desktop_file "$MIME" "$f"
     done
 }
--- xdg-utils-1.1.3.orig/scripts/xdg-open.in
+++ xdg-utils-1.1.3/scripts/xdg-open.in
@@ -142,7 +142,7 @@ open_kde()
     fi
 }
 
-open_dde()
+open_deepin()
 {
     if dde-open -version >/dev/null 2>&1; then
         dde-open "$1"
@@ -327,7 +327,7 @@ search_desktop_file()
         fi
     fi
 
-    for d in $dir/*/; do
+    for d in "$dir/"*/; do
         [ -d "$d" ] && search_desktop_file "$default" "$d" "$target"
     done
 }
@@ -366,13 +366,9 @@ open_generic_xdg_x_scheme_handler()
     fi
 }
 
-has_single_argument()
-{
-  test $# = 1
-}
-
 open_envvar()
 {
+    local url="$1"
     local oldifs="$IFS"
     local browser browser_with_arg
 
@@ -385,12 +381,15 @@ open_envvar()
         fi
 
         if echo "$browser" | grep -q %s; then
-            # Avoid argument injection.
+            # Use loop to insert URL for avoid argument injection.
             # See https://bugs.freedesktop.org/show_bug.cgi?id=103807
-            # URIs don't have IFS characters spaces anyway.
-            has_single_argument $1 && $(printf "$browser" "$1")
+            shift $#
+            for arg in $browser; do
+                set -- "$@" "$(printf -- "$arg" "$url")"
+            done
+            "$@"
         else
-            $browser "$1"
+            $browser "$url"
         fi
 
         if [ $? -eq 0 ]; then
@@ -451,7 +450,7 @@ open_lxde()
 {
 
     # pcmanfm only knows how to handle file:// urls and filepaths, it seems.
-    if pcmanfm --help >/dev/null 2>&1 -a is_file_url_or_path "$1"; then
+    if pcmanfm --help >/dev/null 2>&1 && is_file_url_or_path "$1"; then
         local file="$(file_url_to_path "$1")"
 
         # handle relative paths
@@ -524,8 +523,8 @@ case "$DE" in
     open_kde "$url"
     ;;
 
-    dde)
-    open_dde "$url"
+    deepin)
+    open_deepin "$url"
     ;;
 
     gnome3|cinnamon)
--- xdg-utils-1.1.3.orig/scripts/xdg-screensaver.in
+++ xdg-utils-1.1.3/scripts/xdg-screensaver.in
@@ -468,6 +468,7 @@ screensaver_gnome_screensaver()
         perl -e '
 use strict;
 use warnings;
+use Encode qw(decode);
 use IO::File;
 use Net::DBus;
 use X11::Protocol;
@@ -489,6 +490,10 @@ while (1) {
   }
 }
 
+# Replace any invalid unicode characters with U+FFFD, so we dont crash when we
+# pass them over to D-Bus
+$window_name = decode("utf8", $window_name, Encode::FB_DEFAULT);
+
 # Inhibit idle detection (flags = 8) with window name and ID.
 # We have no reason so just send the window name again.
 my $bus = Net::DBus->session();
@@ -887,6 +892,8 @@ xscreensaver-command -version 2> /dev/nu
 dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.ScreenSaver > /dev/null 2>&1 && DE="gnome_screensaver"
 # Consider "mate-screensaver" a separate DE
 dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.mate.ScreenSaver > /dev/null 2>&1 && DE="mate_screensaver"
+# Consider "cinnamon-screensaver" a separate DE
+dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.cinnamon.ScreenSaver > /dev/null 2>&1 && DE="cinnamon"
 # Consider "xautolock" a separate DE
 xautolock -enable > /dev/null 2>&1 && DE="xautolock_screensaver"
 
--- xdg-utils-1.1.3.orig/scripts/xdg-utils-common.in
+++ xdg-utils-1.1.3/scripts/xdg-utils-common.in
@@ -288,9 +288,8 @@ detectDE()
          KDE)
            DE=kde;
            ;;
-         # Deepin Desktop Environments
          DEEPIN|Deepin|deepin)
-           DE=dde;
+           DE=deepin;
            ;;
          LXDE)
            DE=lxde;
