Patch for "21.10_DEV" branch: https://reviews.mahara.org/12194
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1930471 Title: Exporting of CSV files needs to sanitize data Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: When we export CSV files, like we do in the reports pages, we don't sanitize the output. This means if a person saves data (like their username) beginning with certain characters, eg = or + etc then the data when added into a spreadsheet program will interpret the value as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Though this exploit isn't effecting Mahara itself - it can be the vector of transmission. It will be best if we sanitize the CSV exports to avoid this. A suggestion is to add a TAB character before any string that begins with a susceptible character To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
