[Tracker-discuss] [issue580] CSV Injection Vulnerability
John Rouillard
metatracker at psf.upfronthosting.co.za
Thu Oct 5 22:33:35 EDT 2017
John Rouillard <rouilj at cs.umb.edu> added the comment:
Hi all:
If the generated csv line looks like:
"-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0"
with the quotes surrounding the injected data, will that prevent the injection?
To generate the above I changed the calls to csv.writer in the handler function
from:
writer = csv.writer(wfile)
to
writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)
so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by
QUOTE_ALL. In the case above the "7" field is an id which
is a string and not a number so it is quoted.
If this works, I will open an upstream ticket and fix it upstream.
You guys will still want to fix it locally.
-- rouilj
----------
nosy: +rouilj
_______________________________________________________
PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue580>
_______________________________________________________
More information about the Tracker-discuss
mailing list