From 75f12db40fd70d7717ad494f9de1d606d3d236ac Mon Sep 17 00:00:00 2001 From: Simon Green Date: Mon, 6 Oct 2014 14:59:17 +0000 Subject: [PATCH] Bug 1054702: CSV export vulnerable to formulae injection r=glob,a=glob --- Bugzilla/Template.pm | 4 +++- template/en/default/reports/report-table.csv.tmpl | 8 +++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 0cb20620d6..72144de89f 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -730,10 +730,12 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. + # comma is enclosed in quotes. If a field starts with an equals + # sign, it is proceed by a space. csv => sub { my ($var) = @_; + $var = ' ' . $var if substr($var, 0, 1) eq '='; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\""; diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl index 4d8b50a859..c978cf981a 100644 --- a/template/en/default/reports/report-table.csv.tmpl +++ b/template/en/default/reports/report-table.csv.tmpl @@ -39,11 +39,13 @@ [% END %] [% tbl_field_disp FILTER csv %]: [% tbl_disp FILTER csv %] [% END %] -[% IF row_field %] +[% IF row_field && col_field %] + [% row_field_disp _ ' / ' _ col_field_disp FILTER csv %] +[% ELSIF row_field %] [% row_field_disp FILTER csv %] +[% ELSE %] + [% col_field_disp FILTER csv %] [% END %] -[% " / " IF col_field AND row_field %] -[% col_field_disp FILTER csv %] [% IF col_field -%] [% FOREACH col = col_names -%] [% colsepchar %] -- 2.47.2