Filename/path escaping issue on Custom Commands in Synchronize dialogue
As per title, when you go to compare or create checksums from the Custom Commands dialogue in the Synchronize output, if the files contain spaces it appears to fail because the filenames are not escaped or quoted correctly.
There is a potential for this to be abused by carefully crafted filenames on the remote server as well to potentially run arbitrary code locally, but I haven't tested or PoC'd that of course, and ... well.. it requires the user to take active steps on odd looking files so perhaps this is a pretty low priority concern.
That said, it does make those two options totally useless for files with spaces or reserved characters in them.
PSR recording attached, but marked private in case it leaks passwords or other sensitive information.
There is a potential for this to be abused by carefully crafted filenames on the remote server as well to potentially run arbitrary code locally, but I haven't tested or PoC'd that of course, and ... well.. it requires the user to take active steps on odd looking files so perhaps this is a pretty low priority concern.
That said, it does make those two options totally useless for files with spaces or reserved characters in them.
PSR recording attached, but marked private in case it leaks passwords or other sensitive information.