git-big-picture before 1.0.0 mishandles ' characters in a branch name, leading to code execution.