Headline
CVE-2022-33127: Remove windows specific exec. Open2.capture3 should work on all · samg/diffy@478f392
The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.
@@ -49,13 +49,7 @@ def diff [string1, string2] end
if WINDOWS # don’t use open3 on windows cmd = sprintf '"%s" %s %s’, diff_bin, diff_options.join(' '), @paths.map { |s| %(“#{s}”) }.join(' ') diff = `#{cmd}` else diff = Open3.popen3(diff_bin, *(diff_options + @paths)) { |i, o, e| o.read } end diff, stderr, process_status = Open3.capture3(diff_bin, *(diff_options + @paths)) diff.force_encoding(‘ASCII-8BIT’) if diff.respond_to?(:valid_encoding?) && !diff.valid_encoding? if diff =~ /\A\s*\Z/ && !options[:allow_empty_diff] diff = case options[:source]
Related news
The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.