Reviewed: https://reviews.mahara.org/12135 Committed: https://git.mahara.org/mahara/mahara/commit/941740b3f796316659d379819ffe7db93651df2e Submitter: Robert Lyon ([email protected]) Branch: main
commit 941740b3f796316659d379819ffe7db93651df2e Author: Robert Lyon <[email protected]> Date: Thu Jun 3 12:20:23 2021 +1200 Security bug 1930471: Make exported CSV data safer To avoid data exported from Mahara causing a CSV injection security issue when imported in a spreadsheet program Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee Signed-off-by: Robert Lyon <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1930471 Title: Exporting of CSV files needs to sanitize data Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: When we export CSV files, like we do in the reports pages, we don't sanitize the output. This means if a person saves data (like their username) beginning with certain characters, eg = or + etc then the data when added into a spreadsheet program will interpret the value as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Though this exploit isn't effecting Mahara itself - it can be the vector of transmission. It will be best if we sanitize the CSV exports to avoid this. A suggestion is to add a TAB character before any string that begins with a susceptible character To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
