Title CSV Injection Vulnerability
Priority urgent Status chatting
Superseder Nosy List maciej.szulik, r.david.murray, rouilj
Assigned To Topics

Created on 2016-02-23.10:19:35 by maciej.szulik, last changed 2017-10-06.02:33:35 by rouilj.

msg3008 (view) Author: maciej.szulik Date: 2016-02-23.10:19:34
Copied from

The "Download as CSV " feature of does not properly "escape" fields. This allows an adversary to turn a field into active content so when we download the csv and opens it, the active content gets executed. Here is more information about this issue:

Steps to Reproduce.
1. Enter the title with the payload : -2+3+cmd|' /C calc'!A0
2. Download the bugs as CSV
3. Open it with excel and Calc will get prompted.

Depending upon the system user privileges, an attacker can perform various tasks using the same.
If the user is with high privilege, it is easy to change the system password as mentioned below
-2+3+cmd|' /C net user administrator lol@123'!A0

Ensure all fields are properly "escaped" before returning the CSV file to the user.


Impact of this one is high, as download as CSV is present for guest user as well. Means anyone can download the bugs using "Download as CSV " function and as the file is downloaded from the trusted resource so the possibility is high the code will get executed.
msg3009 (view) Author: r.david.murray Date: 2016-02-23.13:20:39
This should be reported to Roundup upstream.  The fix should be simple (just changing the csv dialect), so it doesn't really matter who develops the patch as long as both upstream and we apply it :)
msg3405 (view) Author: rouilj Date: 2017-10-06.02:33:34
Hi all:

If the generated csv line looks like:

  "-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0"

with the quotes surrounding the injected data, will that prevent the injection?

To generate the above I changed the calls to csv.writer in the handler function

   writer = csv.writer(wfile)


   writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)

so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by
QUOTE_ALL. In the case above the "7" field is an id which
is a string and not a number so it is quoted.

If this works, I will open an upstream ticket and fix it upstream.

You guys will still want to fix it locally.

-- rouilj
Date User Action Args
2017-10-06 02:33:35rouiljsetnosy: + rouilj
messages: + msg3405
2016-02-23 13:20:39r.david.murraysetstatus: unread -> chatting
nosy: + r.david.murray
messages: + msg3009
2016-02-23 10:19:35maciej.szulikcreate