$OpenBSD: patch-lib_mail_core_extensions_shellwords_rb,v 1.1 2011/02/10 01:39:47 jeremy Exp $

Fix for "Vulnerability in Sendmail Delivery Agent code".

--- lib/mail/core_extensions/shellwords.rb.orig	Wed Feb  9 09:21:19 2011
+++ lib/mail/core_extensions/shellwords.rb	Wed Feb  9 09:21:19 2011
@@ -0,0 +1,55 @@
+# The following is imported from ruby 1.9.2 shellwords.rb
+#
+module Shellwords
+  # Escapes a string so that it can be safely used in a Bourne shell
+  # command line.
+  #
+  # Note that a resulted string should be used unquoted and is not
+  # intended for use in double quotes nor in single quotes.
+  #
+  #   open("| grep #{Shellwords.escape(pattern)} file") { |pipe|
+  #     # ...
+  #   }
+  #
+  # +String#shellescape+ is a shorthand for this function.
+  #
+  #   open("| grep #{pattern.shellescape} file") { |pipe|
+  #     # ...
+  #   }
+  #
+  def shellescape(str)
+    # An empty argument will be skipped, so return empty quotes.
+    return "''" if str.empty?
+
+    str = str.dup
+
+    # Process as a single byte sequence because not all shell
+    # implementations are multibyte aware.
+    str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/n, "\\\\\\1")
+
+    # A LF cannot be escaped with a backslash because a backslash + LF
+    # combo is regarded as line continuation and simply ignored.
+    str.gsub!(/\n/, "'\n'")
+
+    return str
+  end
+
+  module_function :shellescape
+
+  class << self
+    alias escape shellescape
+  end
+
+end
+
+class String
+  # call-seq:
+  #   str.shellescape => string
+  #
+  # Escapes +str+ so that it can be safely used in a Bourne shell
+  # command line.  See +Shellwords::shellescape+ for details.
+  #
+  def shellescape
+    Shellwords.escape(self)
+  end
+end
\ No newline at end of file
