alpine-quote.patch

   1 --- alpine-0.9999/pith/mailcap.c~       2007-08-15 22:28:09.000000000 +0200
   2 +++ alpine-0.9999/pith/mailcap.c        2007-11-05 14:32:39.000000000 +0100
   3 @@ -881,17 +881,19 @@
   4                      * have to put those outside of the single quotes.
   5                      * (The parm+1000 nonsense is to protect against
   6                      * malicious mail trying to overlow our buffer.)
   7 +                    *
   8 +                    * TCH - Change 2/8/1999
   9 +                    * Also quote the ` slash to prevent execution of arbirtrary code
  10                      */
  11                     for(p = parm; *p && p < parm+1000; p++){
  12 -                       if(*p == '\''){
  13 -                           if(to-tmp_20k_buf+3 < SIZEOF_20KBUF){
  14 +                       if((*p == '\'')||(*p=='`')){
  15 +                           if(to-tmp_20k_buf+4 < SIZEOF_20KBUF){
  16                                 *to++ = '\'';  /* closing quote */
  17                                 *to++ = '\\';
  18 -                               *to++ = '\'';  /* below will be opening quote */
  19 +                               *to++ = *p; /* quoted character */
  20 +                               *to++ = '\'';  /* opening quote */
  21                             }
  22 -                       }
  23 -
  24 -                       if(to-tmp_20k_buf < SIZEOF_20KBUF)
  25 +                       } else if(to-tmp_20k_buf < SIZEOF_20KBUF)
  26                           *to++ = *p;
  27                     }
  28