summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Green <sgreen@redhat.com>2014-10-06 17:01:03 +0200
committerDavid Lawrence <dkl@mozilla.com>2014-10-06 17:01:03 +0200
commit0ec036b02e033a63deacd9a7ca8af7c77394c45f (patch)
tree17eb0d358dcad3dd0327438b104872e2bcc39695
parent976dc12e4ed769bc02ffeb2be03bb1720e885135 (diff)
downloadbugzilla-0ec036b02e033a63deacd9a7ca8af7c77394c45f.tar.gz
bugzilla-0ec036b02e033a63deacd9a7ca8af7c77394c45f.tar.xz
Bug 1054702: CSV export vulnerable to formulae injection
r=glob,a=glob
-rw-r--r--Bugzilla/Template.pm4
-rw-r--r--template/en/default/reports/report-table.csv.tmpl8
2 files changed, 8 insertions, 4 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 98be21d55..7fd3f0e8d 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -738,10 +738,12 @@ sub create {
},
# In CSV, quotes are doubled, and any value containing a quote or a
- # comma is enclosed in quotes.
+ # comma is enclosed in quotes. If a field starts with an equals
+ # sign, it is proceed by a space.
csv => sub
{
my ($var) = @_;
+ $var = ' ' . $var if substr($var, 0, 1) eq '=';
$var =~ s/\"/\"\"/g;
if ($var !~ /^-?(\d+\.)?\d*$/) {
$var = "\"$var\"";
diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl
index 4d8b50a85..c978cf981 100644
--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -39,11 +39,13 @@
[% END %]
[% tbl_field_disp FILTER csv %]: [% tbl_disp FILTER csv %]
[% END %]
-[% IF row_field %]
+[% IF row_field && col_field %]
+ [% row_field_disp _ ' / ' _ col_field_disp FILTER csv %]
+[% ELSIF row_field %]
[% row_field_disp FILTER csv %]
+[% ELSE %]
+ [% col_field_disp FILTER csv %]
[% END %]
-[% " / " IF col_field AND row_field %]
-[% col_field_disp FILTER csv %]
[% IF col_field -%]
[% FOREACH col = col_names -%]
[% colsepchar %]