git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Thu, 17 Oct 2024 05:35:56 +0000 (05:35 +0000)
committer	JesseM <jesse@bywatersolutions.com>
	Thu, 9 Jan 2025 17:10:12 +0000 (17:10 +0000)
commit	557e3022d1af198996c77cb4088d0b3b4f524643
tree	377310b0a9a71fb8d04f53e35ef4d08d5a4d81dc	tree \| snapshot
parent	0f7a17530db9ee687043e837996373f3e9ea5f39	commit \| diff

Bug 37727: Prevent CSV Formula injection via DataTables

This change prevents CSV Formula injection on DataTables exports
by escaping formula with a single quote prefix as per OWASP recommendations.

Test plan:
0. Apply patch
1. Go to http://localhost:8081/cgi-bin/koha/members/memberentry.pl
?op=edit_form&destination=circ&borrowernumber=51
2. Add the following in a "Circulation note"
=SUM(1+1)
3. Go to http://localhost:8081/cgi-bin/koha/members/member.pl
?quicksearch=1&circsearch=1&searchmember=koha
4. Click "Export" and choose "Excel" and "CSV"
5. Open those downloaded files in Excel
6. Note that the =SUM(1+1) function is prefixed with a single quote,
and is not automatically executed

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. The problematic "cell" is exported as "'=SUM(1+1)".
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit dcb5cc10512ebbc2887bf8a3a3ebbaacf8fec553)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1ed737eb401e24d1986a61a72a3e918694b6d9a9)
Signed-off-by: JesseM <jesse@bywatersolutions.com>

koha-tmpl/intranet-tmpl/prog/en/includes/columns_settings.inc		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/js/datatables.js		diff \| blob \| history