From: Simon Green <sgreen@redhat.com>
Date: Mon, 6 Oct 2014 15:04:40 +0000 (+0000)
Subject: Bug 1054702: CSV export vulnerable to formulae injection
X-Git-Tag: bugzilla-4.5.6~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10e40c5707d383303c7837f526c3ab06466ede98;p=thirdparty%2Fbugzilla.git

Bug 1054702: CSV export vulnerable to formulae injection
r=glob,a=glob
---

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index e4c1bf4608..ca467577f3 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -890,10 +890,12 @@ sub create {
             },
 
             # In CSV, quotes are doubled, and any value containing a quote or a
-            # comma is enclosed in quotes.
+            # comma is enclosed in quotes. If a field starts with an equals
+            # sign, it is proceed by a space.
             csv => sub
             {
                 my ($var) = @_;
+                $var = ' ' . $var if substr($var, 0, 1) eq '=';
                 $var =~ s/\"/\"\"/g;
                 if ($var !~ /^-?(\d+\.)?\d*$/) {
                     $var = "\"$var\"";
diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl
index e2a92b51d2..e94014b922 100644
--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -23,11 +23,13 @@
   [% END %]
   [% tbl_field_disp FILTER csv %]: [% tbl_disp FILTER csv %]
 [% END %]
-[% IF row_field %]
+[% IF row_field && col_field %]
+  [% row_field_disp _ ' / ' _ col_field_disp FILTER csv %]
+[% ELSIF row_field %]
   [% row_field_disp FILTER csv %]
+[% ELSE %]
+  [% col_field_disp FILTER csv %]
 [% END %]
-[% " / " IF col_field AND row_field %]
-[% col_field_disp FILTER csv %]
 [% IF col_field -%]
   [% FOREACH col = col_names -%]
     [% colsepchar %]