Bug 1054702: CSV export vulnerable to formulae injection

r=glob,a=glob

Bug 1054702: CSV export vulnerable to formulae injection
b578b2ae · Simon Green · David Lawrence · a92eee1c · b578b2ae · b578b2ae
Commit b578b2ae authored Oct 06, 2014 by Simon Green Committed by David Lawrence Oct 06, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

Template.pm Bugzilla/Template.pm +3 -1

report-table.csv.tmpl template/en/default/reports/report-table.csv.tmpl +5 -3

No files found.
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -711,10 +711,12 @@ sub create {
            },
            # In CSV, quotes are doubled, and any value containing a quote or a
-            # comma is enclosed in quotes.
+            # comma is enclosed in quotes. If a field starts with an equals
+            # sign, it is proceed by a space.
            csv => sub
            {
                my ($var) = @_;
+                $var = ' ' . $var if substr($var, 0, 1) eq '=';
                $var =~ s/\"/\"\"/g;
                if ($var !~ /^-?(\d+\.)?\d*$/) {
                    $var = "\"$var\"";

--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -23,11 +23,13 @@
  [% END %]
  [% tbl_field_disp FILTER csv %]: [% tbl_disp FILTER csv %]
 [% END %]
-[% IF row_field %]
+[% IF row_field && col_field %]
+  [% row_field_disp _ ' / ' _ col_field_disp FILTER csv %]
+[% ELSIF row_field %]
  [% row_field_disp FILTER csv %]
+[% ELSE %]
+  [% col_field_disp FILTER csv %]
 [% END %]
-[% " / " IF col_field AND row_field %]
-[% col_field_disp FILTER csv %]
 [% IF col_field -%]
  [% FOREACH col = col_names -%]
    [% colsepchar %]