https://bugs.gentoo.org/756838
https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/5f3f563d69ae72bbefe9031c68d8167935abcba5

From 5f3f563d69ae72bbefe9031c68d8167935abcba5 Mon Sep 17 00:00:00 2001
From: Slatian <baschdel@disroot.org>
Date: Sat, 14 Oct 2023 13:14:44 +0200
Subject: [PATCH] Fix CVE-2020-27748 by paasing attachments seperately

---
 scripts/xdg-email.in | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
index 4e3a5e8..6d83b0a 100644
--- a/scripts/xdg-email.in
+++ b/scripts/xdg-email.in
@@ -30,11 +30,14 @@ _USAGE
 
 #@xdg-utils-common@
 
+# (thunderbird_binary, mailto_uri, attached_files)
 run_thunderbird()
 {
     local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
     THUNDERBIRD="$1"
     MAILTO="$(echo "$2" | sed 's/^mailto://')"
+    ATTACH="$3"
+    
     echo "$MAILTO" | grep -qs "^?"
     if [ "$?" = "0" ] ; then
         MAILTO="$(echo "$MAILTO" | sed 's/^?//')"
@@ -48,7 +51,6 @@ run_thunderbird()
     BCC="$(/bin/echo -e "$(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')")"
     SUBJECT="$(echo "$MAILTO" | grep '^subject=' | tail -n 1)"
     BODY="$(echo "$MAILTO" | grep '^body=' | tail -n 1)"
-    ATTACH="$(/bin/echo -e "$(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')")"
 
     if [ -z "$TO" ] ; then
         NEWMAILTO=
@@ -82,6 +84,7 @@ run_thunderbird()
     fi
 }
 
+# (mailto, attach)
 open_kde()
 {
     local kreadconfig profile client
@@ -104,7 +107,7 @@ open_kde()
             fi
 
             if echo "$client" | grep -Eq 'thunderbird|icedove'; then
-                run_thunderbird "$client" "$1"
+                run_thunderbird "$client" "$1" "$2"
             fi
         fi
     fi
@@ -137,6 +140,7 @@ open_kde()
     fi
 }
 
+# (mailto, attach)
 open_gnome3()
 {
     local client
@@ -144,7 +148,7 @@ open_gnome3()
     desktop="$(xdg-mime query default "x-scheme-handler/mailto")"
     client="$(desktop_file_to_binary "$desktop")"
     case "$client" in *thunderbird*|*icedove*)
-        run_thunderbird "$client" "$1"
+        run_thunderbird "$client" "$1" "$2"
     esac
 
     if gio help open 2>/dev/null 1>&2; then
@@ -165,12 +169,13 @@ open_gnome3()
     fi
 }
 
+# (mailto, attach)
 open_gnome()
 {
     local client
     client="$(gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1)"
     case "$client" in *thunderbird*|*icedove*)
-        run_thunderbird "$client" "$1"
+        run_thunderbird "$client" "$1" "$2"
     esac
 
     if gio help open 2>/dev/null 1>&2; then
@@ -191,7 +196,7 @@ open_gnome()
     fi
 }
 
-
+# (mailto, attach)
 open_lxqt()
 {
     local client
@@ -200,7 +205,7 @@ open_lxqt()
     client="$(desktop_file_to_binary "$desktop")"
     echo "$client" | grep -E 'thunderbird|icedove' > /dev/null 2>&1
     if [ $? -eq 0 ] ; then
-        run_thunderbird "$client" "$1"
+        run_thunderbird "$client" "$1" "$2"
     fi
 
     if qtxdg-mat open --help 2>/dev/null 1>&2; then
@@ -261,6 +266,7 @@ open_flatpak()
     fi
 }
 
+# (mailto, attach)
 open_generic()
 {
     local client
@@ -268,7 +274,7 @@ open_generic()
     desktop="$(xdg-mime query default "x-scheme-handler/mailto")"
     client="$(desktop_file_to_binary "$desktop")"
     case "$client" in *thunderbird*|*icedove*)
-        run_thunderbird "$client" "$1"
+        run_thunderbird "$client" "$1" "$2"
     esac
 
     xdg-open "$1"
@@ -317,6 +323,8 @@ LC_ALL="$ORIG_LC_ALL"
 
 options=
 mailto=
+# attach is a comma seperated list of url encoded filenames
+attach=
 utf8="iconv -t utf8"
 while [ $# -gt 0 ] ; do
     parm="$1"
@@ -383,7 +391,7 @@ while [ $# -gt 0 ] ; do
         fi
 
         url_encode "$file"
-        options="${options}attach=${result}&"
+        attach="${attach}${attach:+,}${result}"
         shift
         ;;
 
@@ -436,7 +444,7 @@ mailto="$(echo "${mailto}"| sed 's/[?&]$//')"
 [ x"${mailto}" != x"" ] || exit_failure_syntax
 
 if command -v @NAME@-hook.sh > /dev/null; then
-    @NAME@-hook.sh "${mailto}"
+    @NAME@-hook.sh "${mailto}" "$attach"
     if [ $? -eq 0 ]; then
         exit_success
     else
@@ -456,35 +464,41 @@ fi
 
 case "$DE" in
     envvar)
+	[ -z "$attach" ] || \
+		exit_failure_operation_impossible "Unable to use --attach with the MAILER envoirnment variable"
     open_envvar "${mailto}"
     ;;
 
     kde)
-    open_kde "${mailto}"
+    open_kde "${mailto}" "$attach"
     ;;
 
     gnome)
-    open_gnome "${mailto}"
+    open_gnome "${mailto}" "$attach"
     ;;
 
     gnome3|cinnamon|lxde|mate|deepin)
-    open_gnome3 "${mailto}"
+    open_gnome3 "${mailto}" "$attach"
     ;;
 
     lxqt)
-    open_lxqt "${mailto}"
+    open_lxqt "${mailto}" "$attach"
     ;;
 
     xfce)
+	[ -z "$attach" ] || \
+		exit_failure_operation_impossible "Unable to use --attach with the Xfce opener"
     open_xfce "${mailto}"
     ;;
 
     flatpak)
+	[ -z "$attach" ] || \
+		exit_failure_operation_impossible "Unable to use --attach from inside a flatpak"
     open_flatpak "${mailto}"
     ;;
 
     generic|enlightenment)
-    open_generic "${mailto}"
+    open_generic "${mailto}" "$attach"
     ;;
 
     *)
-- 
2.52.0