Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)


Topic review


This was me posting - I've no idea why it came up as Guest.

Filename/path escaping issue on Custom Commands in Synchronize dialogue

As per title, when you go to compare or create checksums from the Custom Commands dialogue in the Synchronize output, if the files contain spaces it appears to fail because the filenames are not escaped or quoted correctly.

There is a potential for this to be abused by carefully crafted filenames on the remote server as well to potentially run arbitrary code locally, but I haven't tested or PoC'd that of course, and ... well.. it requires the user to take active steps on odd looking files so perhaps this is a pretty low priority concern.

That said, it does make those two options totally useless for files with spaces or reserved characters in them.

PSR recording attached, but marked private in case it leaks passwords or other sensitive information.