Package: dirdiff
Version: 2.1-1
Severity: important
An example: Create a file named "xyzzy[foo bar].txt", and place it in a
directory tree so that dirdiff displays the file path. It is presented as
/path/to/bar].txt
/path/to/xyzzy[foo
Another example: Try a file named "Foo Bar [Baz Qux] - 00 - Foo Bar.txt".
It will display properly in the list widget; however, if you attempt to
delete it via Copy/Del -> Remove from /wherever/it/is, up pops an error
dialog:
Error: Invalid command name "Baz"
If you hit the Details button, here's what you see:
invalid command name "Baz"
invalid command name "Baz"
while executing
"Baz Qux"
invoked from within
".#bar.#bar#copy invoke active"
("uplevel" body line 1)
invoked from within
"uplevel #0 [list $w invoke active]"
(procedure "tk::MenuInvoke" line 50)
invoked from within
"tk::MenuInvoke .#bar.#bar#copy 1"
(command bound to event)
Here it appears that dirdiff is not properly quoting the filename---which
may well have security implications, if a hostile party creates a filename
containing malicious Tcl commands. (It doesn't help that long filenames
simply extend past the right edge of the list widget, without so much as a
horizontal scrollbar.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
