xdg-open: be more paranoid in escaping

When trying to open URLs like:
  http://www.google.com/search?hl=en&q=HTTP+'M-SEARCH * HTTP/1.1\r\n'
we fail terribly in the generic case. \r and \n are replaced by line
feed+CR, * is replaced by the contents of the current directory.

So escape all those before used and expanded by sed. And also later
when invoking.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>

1 files changed, 7 insertions, 7 deletions

diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index eda1cfb..0934142 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -135,16 +135,16 @@ search_desktop_file()
         command="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | first_word`"
         command_exec=`which $command 2>/dev/null`
         arguments="`grep -E "^Exec(\[[^]=]*])?=" "$file" | cut -d= -f 2- | last_word`"
-        arg_one="`echo $arg | sed 's/&/\\\\&/g'`"
-        arguments_exec="`echo $arguments | sed -e 's*%[fFuU]*"'"$arg_one"'"*g'`"
+        arg_one="`echo "$arg" | sed 's/[&*\\]/\\\\&/g'`"
+        arguments_exec="`echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g'`"
 
         if [ -x "$command_exec" ] ; then
-            if echo $arguments | grep -iq '%[fFuU]' ; then
-                echo START $command_exec $arguments_exec
-                eval $command_exec $arguments_exec
+            if echo "$arguments" | grep -iq '%[fFuU]' ; then
+                echo START "$command_exec" "$arguments_exec"
+                eval "$command_exec" "$arguments_exec"
             else
-                echo START $command_exec $arguments_exec "$arg"
-                eval $command_exec $arguments_exec "$arg"
+                echo START "$command_exec" "$arguments_exec" "$arg"
+                eval "$command_exec" "$arguments_exec" "$arg"
             fi
 
             if [ $? -eq 0 ]; then