From f4cdceb03e1ca1866f676a2e9e7a14025c448caf Mon Sep 17 00:00:00 2001
From: Andy Spencer <andy753421 at gmail.com>
Date: Sun, 29 Nov 2009 16:22:48 +0100
Subject: Fix security holes

---
 examples/data/uzbl/scripts/download.sh | 4 ++--
 examples/data/uzbl/scripts/scheme.py   | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'examples')

diff --git a/examples/data/uzbl/scripts/download.sh b/examples/data/uzbl/scripts/download.sh
index c8eb6ba..1c7d039 100755
--- a/examples/data/uzbl/scripts/download.sh
+++ b/examples/data/uzbl/scripts/download.sh
@@ -16,7 +16,7 @@ test "x$url" = "x" && { echo "you must supply a url! ($url)"; exit 1; }
 # only changes the dir for the $get sub process
 if echo "$url" | grep -E '.*\.torrent' >/dev/null;
 then
-    ( cd "$dest"; eval "$GET" "$url")
+    ( cd "$dest"; $GET "$url")
 else
-    ( cd "$dest"; eval "$GET" "$url")
+    ( cd "$dest"; $GET "$url")
 fi
diff --git a/examples/data/uzbl/scripts/scheme.py b/examples/data/uzbl/scripts/scheme.py
index a54476f..0916466 100755
--- a/examples/data/uzbl/scripts/scheme.py
+++ b/examples/data/uzbl/scripts/scheme.py
@@ -16,8 +16,9 @@ if __name__ == '__main__':
     uri = sys.argv[8]
     u = urlparse.urlparse(uri)
     if u.scheme == 'mailto':
-        detach_open(['xterm', '-e', 'mail %r' % u.path])
+        detach_open(['xterm', '-e', 'mail', u.path])
     elif u.scheme == 'xmpp':
+        # Someone check for safe arguments to gajim-remote
         detach_open(['gajim-remote', 'open_chat', uri])
     elif u.scheme == 'git':
-        detach_open(['git', 'clone', uri], cwd=os.path.expanduser('~/src'))
+        detach_open(['git', 'clone', '--', uri], cwd=os.path.expanduser('~/src'))
-- 
cgit v1.2.3