Page MenuHomePhabricator
Files F17821947

D18974.id45506.diff
No OneTemporary
Actions

D18974.id45506.diff
View Options

diff --git a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
--- a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
+++ b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
@@ -42,6 +42,16 @@
private function addRow(array $values) {
$row = array();
foreach ($values as $value) {
+
+ // Excel is extremely interested in executing arbitrary code it finds in
+ // untrusted CSV files downloaded from the internet. When a cell looks
+ // like it might be too tempting for Excel to ignore, mangle the value
+ // to dissuade remote code execution. See T12800.
+
+ if (preg_match('/^\s*[+=@-]/', $value)) {
+ $value = '(!) '.$value;
+ }
+
if (preg_match('/\s|,|\"/', $value)) {
$value = str_replace('"', '""', $value);
$value = '"'.$value.'"';

File Metadata

Mime Type
text/plain
Expires
Sun, Jul 27, 3:18 AM (2 d, 9 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
8567928
Default Alt Text
D18974.id45506.diff (923 B)

Event Timeline

Phabricator · Built by Phacility