** Changed in: mahara/21.04
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930471
Title:
Exporting of CSV files needs to sanitize data
Status in Mahara:
Fix Released
Status in Mahara 20.04 series:
Fix Committed
Status in Mahara 20.10 series:
In Progress
Status in Mahara 21.04 series:
Fix Committed
Bug description:
When we export CSV files, like we do in the reports pages, we don't
sanitize the output.
This means if a person saves data (like their username) beginning with
certain characters, eg = or + etc then the data when added into a
spreadsheet program will interpret the value as a command.
This allows one to create a malicious string so that they can exploit
spreadsheet vulnerabilities.
Though this exploit isn't effecting Mahara itself - it can be the
vector of transmission.
It will be best if we sanitize the CSV exports to avoid this.
A suggestion is to add a TAB character before any string that begins with a
susceptible character
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
