Kyle M Hall
6b96763992
The system is vulnerable to Formula Injection attacks as the data stored within the database and exported as CSV/Excel is not being sanitized or validated against implanted formula payloads This patch modifies all uses of Text::CSV and derived classes to pass the "formula" parameter with value of "empty" which replaces formulas by empty string. Test Plan: 1) Apply this patch 2) For guided_reports.pl, attempt to export CSV where you've set a column to a formula somehow ( such as "=1+3" ) 3) Export that CSV file 4) Note the formula has not been exported 5) Repeat this plan for the remaining scripts that export CSV files where users can define the outputted data Signed-off-by: Magnus Enger <magnus@libriotech.no> Fixed two conflicts. I have tested that this works as advertised on: - Reports (Download > Comma separated text (.csv)) [Text::CSV::Encoded] - Circulation > Overdues > Download file of all overdues [Text::CSV_XS] - misc/export_borrowers.pl [Text::CSV] This covers all modules used, and both GUI and command line. Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> [EDIT] Change none to empty in the commit message ! None is the default, doing nothing. Empty clears the formulas. Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> |
||
|---|---|---|
| .. | ||
| barcode-print.pl | ||
| label-create-csv.pl | ||
| label-create-pdf.pl | ||
| label-create-xml.pl | ||
| label-edit-batch.pl | ||
| label-edit-layout.pl | ||
| label-edit-profile.pl | ||
| label-edit-range.pl | ||
| label-edit-template.pl | ||
| label-home.pl | ||
| label-item-search.pl | ||
| label-manage.pl | ||
| label-print.pl | ||
| spinelabel-home.pl | ||
| spinelabel-print.pl | ||