mahara-contributors team mailing list archive
  
  - 
     mahara-contributors team mahara-contributors team
- 
    Mailing list archive
  
- 
    Message #63981
  
 [Bug 1930471] Re: Exporting of CSV files	needs to sanitize data
  
** Changed in: mahara/20.04
       Status: Fix Committed => Fix Released
-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930471
Title:
  Exporting of CSV files needs to sanitize data
Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Committed
Status in Mahara 21.04 series:
  Fix Committed
Bug description:
  When we export CSV files, like we do in the reports pages, we don't
  sanitize the output.
  This means if a person saves data (like their username) beginning with
  certain characters, eg = or  + etc then the data when added into a
  spreadsheet program will interpret the value as a command.
  This allows one to create a malicious string so that they can exploit
  spreadsheet vulnerabilities.
  Though this exploit isn't effecting Mahara itself - it can be the
  vector of transmission.
  It will be best if we sanitize the CSV exports to avoid this.
  A suggestion is to add a TAB character before any string that begins with a susceptible character
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions