Page MenuHomePhabricator
Files F14406516

D18974.diff
No OneTemporary
Actions

D18974.diff
View Options

diff --git a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
--- a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
+++ b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
@@ -42,6 +42,16 @@
private function addRow(array $values) {
$row = array();
foreach ($values as $value) {
+
+ // Excel is extremely interested in executing arbitrary code it finds in
+ // untrusted CSV files downloaded from the internet. When a cell looks
+ // like it might be too tempting for Excel to ignore, mangle the value
+ // to dissuade remote code execution. See T12800.
+
+ if (preg_match('/^\s*[+=@-]/', $value)) {
+ $value = '(!) '.$value;
+ }
+
if (preg_match('/\s|,|\"/', $value)) {
$value = str_replace('"', '""', $value);
$value = '"'.$value.'"';

File Metadata

Mime Type
text/plain
Expires
Tue, Dec 24, 3:00 PM (19 h, 38 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6923769
Default Alt Text
D18974.diff (923 B)

Event Timeline

Phabricator · Built by Phacility