From 19e2b191ef01b2e360ec8d0f0277e457fb7deb22 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 30 Jun 2016 21:10:14 +0000 Subject: Bug 1279878 - CSV injection --- Bugzilla/Template.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 1ac88b62e..b03817793 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -863,12 +863,13 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. If a field starts with an equals - # sign, it is proceed by a space. + # comma is enclosed in quotes. + # If a field starts with either "=", "+", "-" or "@", it is preceded + # by a space to prevent stupid formula execution from Excel & co. csv => sub { my ($var) = @_; - $var = ' ' . $var if substr($var, 0, 1) eq '='; + $var = ' ' . $var if $var =~ /^[+=@-]/; # backslash is not special to CSV, but it can be used to confuse some browsers... # so we do not allow it to happen. We only do this for logged-in users. $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; -- cgit v1.2.3-24-g4f1b