diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2016-04-25 23:38:11 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2016-04-25 23:38:11 +0200 |
| commit | ff441bcc43f86e3fedcecd0b774f171f1c8e61ef (patch) | |
| tree | 32ac5c6fff414e1884b4f70b315c47244a50ed0c /Bugzilla | |
| parent | e2b113614dd7c00eef3fb890103935a33f03fb83 (diff) | |
| download | bugzilla-ff441bcc43f86e3fedcecd0b774f171f1c8e61ef.tar.gz bugzilla-ff441bcc43f86e3fedcecd0b774f171f1c8e61ef.tar.xz | |
Bug 1259881 - CSV export vulnerable to formulae injection (again)
r=sgreen
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Template.pm | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 95a89b560..618d80cfa 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -851,12 +851,13 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. If a field starts with an equals - # sign, it is proceed by a space. + # comma is enclosed in quotes. + # If a field starts with either "=", "+", "-" or "@", it is preceded + # by a space to prevent stupid formula execution from Excel & co. csv => sub { my ($var) = @_; - $var = ' ' . $var if substr($var, 0, 1) eq '='; + $var = ' ' . $var if $var =~ /^[+=@-]/; # backslash is not special to CSV, but it can be used to confuse some browsers... # so we do not allow it to happen. We only do this for logged-in users. $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; |