summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2016-04-25 23:38:11 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2016-04-25 23:38:11 +0200
commitff441bcc43f86e3fedcecd0b774f171f1c8e61ef (patch)
tree32ac5c6fff414e1884b4f70b315c47244a50ed0c
parente2b113614dd7c00eef3fb890103935a33f03fb83 (diff)
downloadbugzilla-ff441bcc43f86e3fedcecd0b774f171f1c8e61ef.tar.gz
bugzilla-ff441bcc43f86e3fedcecd0b774f171f1c8e61ef.tar.xz
Bug 1259881 - CSV export vulnerable to formulae injection (again)
r=sgreen
-rw-r--r--Bugzilla/Template.pm7
1 files changed, 4 insertions, 3 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 95a89b560..618d80cfa 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -851,12 +851,13 @@ sub create {
},
# In CSV, quotes are doubled, and any value containing a quote or a
- # comma is enclosed in quotes. If a field starts with an equals
- # sign, it is proceed by a space.
+ # comma is enclosed in quotes.
+ # If a field starts with either "=", "+", "-" or "@", it is preceded
+ # by a space to prevent stupid formula execution from Excel & co.
csv => sub
{
my ($var) = @_;
- $var = ' ' . $var if substr($var, 0, 1) eq '=';
+ $var = ' ' . $var if $var =~ /^[+=@-]/;
# backslash is not special to CSV, but it can be used to confuse some browsers...
# so we do not allow it to happen. We only do this for logged-in users.
$var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;