git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Thu, 17 Oct 2024 05:35:56 +0000 (05:35 +0000)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Thu, 9 Jan 2025 08:56:45 +0000 (09:56 +0100)
commit	1ed737eb401e24d1986a61a72a3e918694b6d9a9
tree	2ac3f8f8681f9dfdf557829fa97f72d70905b84b	tree \| snapshot
parent	35f95b7eab7fc93237adb23bd131695ffaa27192	commit \| diff

Bug 37727: Prevent CSV Formula injection via DataTables

This change prevents CSV Formula injection on DataTables exports
by escaping formula with a single quote prefix as per OWASP recommendations.

Test plan:
0. Apply patch
1. Go to http://localhost:8081/cgi-bin/koha/members/memberentry.pl
?op=edit_form&destination=circ&borrowernumber=51
2. Add the following in a "Circulation note"
=SUM(1+1)
3. Go to http://localhost:8081/cgi-bin/koha/members/member.pl
?quicksearch=1&circsearch=1&searchmember=koha
4. Click "Export" and choose "Excel" and "CSV"
5. Open those downloaded files in Excel
6. Note that the =SUM(1+1) function is prefixed with a single quote,
and is not automatically executed

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. The problematic "cell" is exported as "'=SUM(1+1)".
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit dcb5cc10512ebbc2887bf8a3a3ebbaacf8fec553)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

koha-tmpl/intranet-tmpl/prog/en/includes/columns_settings.inc		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/js/datatables.js		diff \| blob \| history