mahara-contributors team mailing list archive

Thread
Date

[Bug 1930471] Re: Exporting of CSV files needs to sanitize data

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Gold <1930471@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 23:16:55 -0000
Reply-to: Bug 1930471 <1930471@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: mahara/21.04
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930471

Title:
  Exporting of CSV files needs to sanitize data

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Committed
Status in Mahara 20.10 series:
  In Progress
Status in Mahara 21.04 series:
  Fix Committed

Bug description:
  When we export CSV files, like we do in the reports pages, we don't
  sanitize the output.

  This means if a person saves data (like their username) beginning with
  certain characters, eg = or  + etc then the data when added into a
  spreadsheet program will interpret the value as a command.

  This allows one to create a malicious string so that they can exploit
  spreadsheet vulnerabilities.

  Though this exploit isn't effecting Mahara itself - it can be the
  vector of transmission.

  It will be best if we sanitize the CSV exports to avoid this.
  A suggestion is to add a TAB character before any string that begins with a susceptible character

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions