Miroslav Lichvar discovered that xdg-open allows for arbitrary command
execution in case the URL can not be handled by KDE, GNOME, XFCE or
mimeopen.

https://bugs.gentoo.org/show_bug.cgi?id=207331
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0386

http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33&view=patch
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37&view=patch

--- xdg-open	2008/01/18 15:00:38	1.32
+++ xdg-open	2008/01/24 20:24:51	1.33
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #---------------------------------------------
 #   xdg-open
 #
@@ -382,7 +382,8 @@
     for browser in $BROWSER; do
         if [ x"$browser" != x"" ]; then
 
-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
+            IFS=' '
+            browser_with_arg=${browser//'%s'/"$1"}
 
             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
             else $browser_with_arg;
--- xdg-email	2006/11/21 20:29:55	1.36
+++ xdg-email	2008/01/24 20:24:50	1.37
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #---------------------------------------------
 #   xdg-email
 #
@@ -435,7 +435,8 @@
     for browser in $BROWSER; do
         if [ x"$browser" != x"" ]; then
 
-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
+            IFS=' '
+            browser_with_arg=${browser//'%s'/"$1"}
 
             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
             else $browser_with_arg;