This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:
$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype /tmp/foo\:runme
This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.
xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)
Created attachment 36854 [details] [review]
Patch from Ubuntu bug
I can confirm the issue is still not fixed in xdg-utils 1.1.0, git snapshot from 2012-10-08.
Attached patch does work for me.
Please update in upstream.