In reviewing the issue of CSV injection across our applications it looks like DSpace including current versions is affected by this issue.
The issue is well described on the web. Essentially if a user submits a document with a field value which could be interpreted as a function, the CSV export does not escape or sanitise this value. The result is that a client opening this in Excel treating it as a trusted source (and with marcos enabled) will execute this function. This is easily tested in DSpace: (1) Submit an item with a text value of =sum(1+1) (2) Export the collection in using the DSpace metadata export. (3) Open in Excel and note that the field resolves as "2" - i.e. the formula is executed. One remediation which we have tested in other apps is to prefix any values starting with =,+,-,@ (bearing in mind cr\lf prefixes with an apostrophe) on the output to csv, or to sanitise this prefix. While this is strictly an issue with Excel (and doesn't affect Open Office in default settings) the engineering of attacks via a trusted source of output is of course an issue. Has this been flagged in the community? Edmund -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/4ab4b2da-47dc-4898-8845-916036e3e6e9n%40googlegroups.com.
