aerc: backport an upstream patch for handling of attachments' filenames

The patch is not part of a tagged release yet so we apply it selectively
instead of upgrading whole aerc. While it is originally presented as
a usability problem only for attachments with absolutes filepaths (they
fail to open), there is nothing stopping you from putting a relative
path in there therefore forcing aerc to overwriting any path on the host
system with sender chosen data. It's been marked as CVE-2025-49466

I decided to inline the patches into nixpkgs as they are very short and
the current bot protection of git.sr.ht complicates patch fetching.

pkgs/by-name/ae/aerc/basename-temp-file-fixup.patch

@@ -0,0 +1,34 @@
+From 2bbe75fe0bc87ab4c1e16c5a18c6200224391629 Mon Sep 17 00:00:00 2001
+From: Nicole Patricia Mazzuca <nicole@streganil.no>
+Date: Fri, 9 May 2025 09:32:21 +0200
+Subject: [PATCH] open: fix opening text/html messages
+
+This fixes a bug introduced in 93bec0de8ed5ab3d6b1f01026fe2ef20fa154329:
+aerc started using `path.Base(<part>)`, which returns `"."` on an empty
+path, but still checked for `""` two lines later.
+
+On macOS, the result is that aerc attempts to open the directory:
+
+```
+open /var/folders/vn/hs0zvdsx3vq6svvry8s1bnym0000gn/T/aerc-4229266673: is a directory
+```
+
+Signed-off-by: Nicole Patricia Mazzuca <nicole@streganil.no>
+Acked-by: Robin Jarry <robin@jarry.cc>
+---
+ commands/msgview/open.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/commands/msgview/open.go b/commands/msgview/open.go
+index a6e43cb8da5fd49d2aa562d4c25ee2d597deefc3..7c770d4a90b771e3a18dfcb327f5e9306d5b5fa7 100644
+--- a/commands/msgview/open.go
++++ b/commands/msgview/open.go
+@@ -59,7 +59,7 @@ func (o Open) Execute(args []string) error {
+ 		}
+ 		filename := path.Base(part.FileName())
+ 		var tmpFile *os.File
+-		if filename == "" {
++		if filename == "." {
+ 			extension := ""
+ 			if exts, _ := mime.ExtensionsByType(mimeType); len(exts) > 0 {
+ 				extension = exts[0]

pkgs/by-name/ae/aerc/basename-temp-file.patch

@@ -0,0 +1,41 @@
+From 93bec0de8ed5ab3d6b1f01026fe2ef20fa154329 Mon Sep 17 00:00:00 2001
+From: Robin Jarry <robin@jarry.cc>
+Date: Wed, 9 Apr 2025 10:49:24 +0200
+Subject: [PATCH] open: only use part basename for temp file
+
+When an attachment part has a name such as "/tmp/55208186_AllDocs.pdf",
+aerc creates a temp folder and tries to store the file by blindly
+concatenating the path as follows:
+
+	/tmp/aerc-3444057757/tmp/55208186_AllDocs.pdf
+
+And when writing to this path, it gets a "No such file or directory"
+error because the intermediate "tmp" subfolder isn't created.
+
+Reported-by: Erik Colson <eco@ecocode.net>
+Signed-off-by: Robin Jarry <robin@jarry.cc>
+---
+ commands/msgview/open.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/commands/msgview/open.go b/commands/msgview/open.go
+index 4293b7e4892c137a7f3fbbe79245ffb6733b2671..a6e43cb8da5fd49d2aa562d4c25ee2d597deefc3 100644
+--- a/commands/msgview/open.go
++++ b/commands/msgview/open.go
+@@ -5,6 +5,7 @@ import (
+ 	"io"
+ 	"mime"
+ 	"os"
++	"path"
+ 	"path/filepath"
+ 
+ 	"git.sr.ht/~rjarry/aerc/app"
+@@ -56,7 +57,7 @@ func (o Open) Execute(args []string) error {
+ 			app.PushError(err.Error())
+ 			return
+ 		}
+-		filename := part.FileName()
++		filename := path.Base(part.FileName())
+ 		var tmpFile *os.File
+ 		if filename == "" {
+ 			extension := ""

pkgs/by-name/ae/aerc/package.nix

@@ -33,7 +33,14 @@ buildGoModule (finalAttrs: {
     python3Packages.wrapPython
   ];
 
-  patches = [ ./runtime-libexec.patch ];
+  patches = [
+    ./runtime-libexec.patch
+
+    # TODO remove these with the next release
+    # they resolve a path injection vulnerability when saving attachments (CVE-2025-49466)
+    ./basename-temp-file.patch
+    ./basename-temp-file-fixup.patch
+  ];
 
   postPatch = ''
     substituteAllInPlace config/aerc.conf