From 0ec036b02e033a63deacd9a7ca8af7c77394c45f Mon Sep 17 00:00:00 2001
From: Simon Green <sgreen@redhat.com>
Date: Mon, 6 Oct 2014 15:01:03 +0000
Subject: Bug 1054702: CSV export vulnerable to formulae injection
 r=glob,a=glob

---
 Bugzilla/Template.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Template.pm')

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 98be21d55..7fd3f0e8d 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -738,10 +738,12 @@ sub create {
             },
 
             # In CSV, quotes are doubled, and any value containing a quote or a
-            # comma is enclosed in quotes.
+            # comma is enclosed in quotes. If a field starts with an equals
+            # sign, it is proceed by a space.
             csv => sub
             {
                 my ($var) = @_;
+                $var = ' ' . $var if substr($var, 0, 1) eq '=';
                 $var =~ s/\"/\"\"/g;
                 if ($var !~ /^-?(\d+\.)?\d*$/) {
                     $var = "\"$var\"";
-- 
cgit v1.2.3-24-g4f1b