Headline
GHSA-5ww9-9qp2-x524: Improper handling of double quotes in file name in Diffy in Windows environment
The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.
Improper handling of double quotes in file name in Diffy in Windows environment
High severity GitHub Reviewed Published Jun 24, 2022 • Updated Jun 25, 2022
Related news
CVE-2022-33127: Remove windows specific exec. Open2.capture3 should work on all · samg/diffy@478f392
The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.