Bug 1259881 - CSV export vulnerable to formulae injection (again)

r=sgreen a=dkl

Bug 1259881 - CSV export vulnerable to formulae injection (again)
36253a71 · Frédéric Buclin · 94d623c0 · 36253a71
Commit 36253a71 authored Apr 25, 2016 by Frédéric Buclin
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

Template.pm Bugzilla/Template.pm +4 -3

No files found.
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -713,12 +713,13 @@ sub create {
            },

            # In CSV, quotes are doubled, and any value containing a quote or a
-            # comma is enclosed in quotes. If a field starts with an equals
-            # sign, it is proceed by a space.
+            # comma is enclosed in quotes.
+            # If a field starts with either "=", "+", "-" or "@", it is preceded
+            # by a space to prevent stupid formula execution from Excel & co.
            csv => sub
            {
                my ($var) = @_;
-                $var = ' ' . $var if substr($var, 0, 1) eq '=';
+                $var = ' ' . $var if $var =~ /^[+=@-]/;
                # backslash is not special to CSV, but it can be used to confuse some browsers...
                # so we do not allow it to happen. We only do this for logged-in users.
                $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;