summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Green <sgreen@redhat.com>2014-10-06 17:04:40 +0200
committerDavid Lawrence <dkl@mozilla.com>2014-10-06 17:04:40 +0200
commit10e40c5707d383303c7837f526c3ab06466ede98 (patch)
tree94f4876bbbc7442d61f74938190c7bfdfac13e45
parentfa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (diff)
downloadbugzilla-10e40c5707d383303c7837f526c3ab06466ede98.tar.gz
bugzilla-10e40c5707d383303c7837f526c3ab06466ede98.tar.xz
Bug 1054702: CSV export vulnerable to formulae injection
r=glob,a=glob
Diffstat
-rw-r--r--Bugzilla/Template.pm4
-rw-r--r--template/en/default/reports/report-table.csv.tmpl8
2 files changed, 8 insertions, 4 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index e4c1bf460..ca467577f 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -890,10 +890,12 @@ sub create {
},
# In CSV, quotes are doubled, and any value containing a quote or a
- # comma is enclosed in quotes.
+ # comma is enclosed in quotes. If a field starts with an equals
+ # sign, it is proceed by a space.
csv => sub
{
my ($var) = @_;
+ $var = ' ' . $var if substr($var, 0, 1) eq '=';
$var =~ s/\"/\"\"/g;
if ($var !~ /^-?(\d+\.)?\d*$/) {
$var = "\"$var\"";
diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl
index e2a92b51d..e94014b92 100644
--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -23,11 +23,13 @@
[% END %]
[% tbl_field_disp FILTER csv %]: [% tbl_disp FILTER csv %]
[% END %]
-[% IF row_field %]
+[% IF row_field && col_field %]
+ [% row_field_disp _ ' / ' _ col_field_disp FILTER csv %]
+[% ELSIF row_field %]
[% row_field_disp FILTER csv %]
+[% ELSE %]
+ [% col_field_disp FILTER csv %]
[% END %]
-[% " / " IF col_field AND row_field %]
-[% col_field_disp FILTER csv %]
[% IF col_field -%]
[% FOREACH col = col_names -%]
[% colsepchar %]
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-05-11 07:55:25 +0200