Filename/path escaping issue on Custom Commands in Synchronize dialogue

Advertisement

Guest

Filename/path escaping issue on Custom Commands in Synchronize dialogue

As per title, when you go to compare or create checksums from the Custom Commands dialogue in the Synchronize output, if the files contain spaces it appears to fail because the filenames are not escaped or quoted correctly.

There is a potential for this to be abused by carefully crafted filenames on the remote server as well to potentially run arbitrary code locally, but I haven't tested or PoC'd that of course, and ... well.. it requires the user to take active steps on odd looking files so perhaps this is a pretty low priority concern.

That said, it does make those two options totally useless for files with spaces or reserved characters in them.

PSR recording attached, but marked private in case it leaks passwords or other sensitive information.
  • winscp-checksum-compare-in-synchronize-escaping-issues.zip (739 KB, Private file)
Description: I've tried to redact the SSH password from this file, for security, but I'm marking it as private just in case I missed something :)

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum