John Rouillard added the comment:
Hi all:
If the generated csv line looks like:
"-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0"
with the quotes surrounding the injected data, will that prevent the injection?
To generate the above I changed the calls to csv.write
R David Murray added the comment:
This should be reported to Roundup upstream. The fix should be simple (just
changing the csv dialect), so it doesn't really matter who develops the patch
as long as both upstream and we apply it :)
--
nosy: +r.david.murray
status: unread -> chatting
New submission from Maciej Szulik:
Copied from http://bugs.python.org/issue26399:
The "Download as CSV " feature of bugs.python.org does not properly "escape"
fields. This allows an adversary to turn a field into active content so when we
download the csv and opens it, the active content gets
