Fix Elisp code injection vulnerability in emacsclient-mail.desktop

A crafted mailto URI could contain unescaped double-quote
characters, allowing injection of Elisp code.  Therefore, any
'\' and '"' characters are replaced by '\\' and '\"', using Bash
pattern substitution (which is not available in the POSIX shell).

We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
bash -c command, but in the desktop entry '"', '$', and '\' must
be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
are expanded twice, see the Desktop Entry Specification).

Reported by Gabriel Corona <gabriel.corona@free.fr>.

* etc/emacsclient-mail.desktop (Exec): Escape backslash and
double-quote characters.

0 files changed, 0 insertions, 0 deletions