This patch changes pine's URL passing for external programs to not use

_URL_ in the argument string but use the environment variable "URL" for

that. Certainly SUSE-specific now.

--- pine4.64/pine/mailview.c

+++ pine4.64/pine/mailview.c

@@ -5121,146 +5121,52 @@

     int	       rv = 0;

     url_tool_t f;

 #define	URL_MAX_LAUNCH	(2 * MAILTMPLEN)

+#define _URL_EXPANSION "\"$URL\""

     if(handle->h.url.tool){

-	char	*toolp, *cmdp, *p, *q, cmd[URL_MAX_LAUNCH + 4];

-	char    *left_double_quote, *right_double_quote;

-	int	 mode, quotable = 0, copied = 0, double_quoted = 0;

-	int      escape_single_quotes = 0;

+        char    *toolp, *cmdp, *endp, cmd[URL_MAX_LAUNCH + 1];

+        int      mode, len, copied = 0;

 	PIPE_S  *syspipe;

 	toolp = handle->h.url.tool;

 	/*

-	 * Figure out if we need to quote the URL. If there are shell

-	 * metacharacters in it we want to quote it, because we don't want

-	 * the shell to interpret them. However, if the user has already

-	 * quoted the URL in the command definition we don't want to quote

-	 * again. So, we try to see if there are a pair of unescaped

-	 * quotes surrounding _URL_ in the cmd.

-	 * If we quote when we shouldn't have, it'll cause it not to work.

-	 * If we don't quote when we should have, it's a possible security

-	 * problem (and it still won't work).

-	 *

-	 * In bash and ksh $( executes a command, so we use single quotes

-	 * instead of double quotes to do our quoting. If configured command

-	 * is double-quoted we change that to single quotes.

-	 */

-#ifdef	_WINDOWS

-	/*

-	 * It should be safe to not quote any of the characters from the

-	 * string below.  It was quoting with '?' and '&' in a URL, which is

-	 * unnecessary.  Also the quoting code below only quotes with

-	 * ' (single quote), so we'd want it to at least do double quotes

-	 * instead, for Windows.

+        * Rather than trying to be smart about quoting and

+        * meta-characters, just stuff the URL into an environment

+        * variable and make the handler use it.

 	 */

-	if(toolp)

-	  quotable = 0;		/* always never quote */

-	else

-#endif

-	/* quote shell specials */

-	if(strpbrk(handle->h.url.path, "&*;<>?[]|~$(){}") != NULL){

-	    escape_single_quotes++;

-	    if((p = strstr(toolp, "_URL_")) != NULL){  /* explicit arg? */

-		int in_quote = 0;

-

-		/* see whether or not it is already quoted */

-

-	        quotable = 1;

-

-		for(q = toolp; q < p; q++)

-		  if(*q == '\'' && (q == toolp || q[-1] != '\\'))

-		    in_quote = 1 - in_quote;

-		

-		if(in_quote){

-		    for(q = p+5; *q; q++)

-		      if(*q == '\'' && q[-1] != '\\'){

-			  /* already single quoted, leave it alone */

-			  quotable = 0;

-			  break;

-		      }

-		}

-		if(quotable){

-		    in_quote = 0;

-		    for(q = toolp; q < p; q++)

-		      if(*q == '\"' && (q == toolp || q[-1] != '\\')){

-			  in_quote = 1 - in_quote;

-			  if(in_quote)

-			    left_double_quote = q;

-		      }

-		    

-		    if(in_quote){

-			for(q = p+5; *q; q++)

-			  if(*q == '\"' && q[-1] != '\\'){

-			      /* we'll replace double quotes with singles */

-			      double_quoted = 1;

-			      right_double_quote = q;

-			      break;

-			  }

-		    }

-		}

-	    }

-	    else

-	      quotable = 1;

-	}

-	else

-	  quotable = 0;

+	setenv("URL", handle->h.url.path, 1);

 	/* Build the command */

 	cmdp = cmd;

-	while(cmdp-cmd < URL_MAX_LAUNCH)

-	  if((!*toolp && !copied)

-	     || (*toolp == '_' && !strncmp(toolp + 1, "URL_", 4))){

+        endp = cmd + sizeof(cmd) - 1;

+        do {

+          if (cmdp + 1 > endp)

+              return(url_launch_too_long(rv));

+ 

+          if (!*toolp && !copied) {

 	      /* implicit _URL_ at end */

-	      if(!*toolp)

-		*cmdp++ = ' ';

+              *endp++ = ' ';

+             toolp = "_URL_";

+         }

+

+

+         if (strncmp(toolp, "_URL_", 5) != 0) {

+              *cmdp++ = *toolp++;

+         }

+	else {

+             toolp += 5; /* length of _URL_ */

-	      /* add single quotes */

-	      if(quotable && !double_quoted && cmdp-cmd < URL_MAX_LAUNCH)

-		*cmdp++ = '\'';

-

-	      copied = 1;

-	      /*

-	       * If the url.path contains a single quote we should escape

-	       * that single quote to remove its special meaning.

-	       * Since backslash-quote is ignored inside single quotes we

-	       * close the quotes, backslash escape the quote, then open

-	       * the quotes again. So

-	       *         'fred's car'

-	       * becomes 'fred'\''s car'

-	       */

-	      for(p = handle->h.url.path;

-		  p && *p && cmdp-cmd < URL_MAX_LAUNCH; p++){

-		  if(escape_single_quotes && *p == '\''){

-		      *cmdp++ = '\'';	/* closing quote */

-		      *cmdp++ = '\\';

-		      *cmdp++ = '\'';	/* opening quote comes from p below */

-		  }

+             if (cmdp + sizeof(_URL_EXPANSION) - 1 > endp)

+                  return(url_launch_too_long(rv));

-		  *cmdp++ = *p;

-	      }

-

-	      if(quotable && !double_quoted && cmdp-cmd < URL_MAX_LAUNCH){

-		  *cmdp++ = '\'';

-		  *cmdp = '\0';

-	      }

-

-	      if(*toolp)

-		toolp += 5;		/* length of "_URL_" */

-	  }

-	  else{

-	      /* replace double quotes with single quotes */

-	      if(double_quoted &&

-		 (toolp == left_double_quote || toolp == right_double_quote)){

-		  *cmdp++ = '\'';

-		  toolp++;

-	      }

-	      else if(!(*cmdp++ = *toolp++))

-		break;

+             sstrcpy(&cmdp, _URL_EXPANSION);

+             copied = 1;

 	  }

+	} while (*toolp);

 	if(cmdp-cmd >= URL_MAX_LAUNCH)

 	  return(url_launch_too_long(rv));