[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #9 from jomo  ---
(In reply to Mike Kaganski from comment #2)
> this doesn't differ from any other spreadsheet file being opened in a 
> spreadsheet application, where formulas can appear. If you use XLS, or ODS, 
> or anything, there are formulas, and they may do all the same kind of things.

I disagree. CSV is not a "spreadsheet file" comparable to XLS or ODS. CSV is
Comma-separated values (where all values are text).

When importing, say, a CSV file with a list of comments, I would not expect
formulas to be executed only because a comment started with an equals sign.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

Eike Rathke  changed:

   What|Removed |Added

 Status|UNCONFIRMED |NEW
Version|unspecified |Inherited From OOo
Summary|Fix "CSV injection" |Add option to CSV import to
   |vulnerability   |disable formula injection
 Ever confirmed|0   |1
   Severity|normal  |enhancement

--- Comment #8 from Eike Rathke  ---
Adjusting title because with the current releases there is no vulnerability,
executing DDE is not possible without user interaction.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

Eike Rathke  changed:

   What|Removed |Added

   Keywords|needsDevAdvice  |

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

Roman Kuznetsov <79045_79...@mail.ru> changed:

   What|Removed |Added

 Blocks||109236


Referenced Bugs:

https://bugs.documentfoundation.org/show_bug.cgi?id=109236
[Bug 109236] [META] CSV import bugs and enhancements
-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

Mike Kaganski  changed:

   What|Removed |Added

 CC||spamfaen...@gmx.de

--- Comment #10 from Mike Kaganski  ---
*** Bug 142536 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #11 from Martin Häcker  ---
I certainly didn't find this bug report before reporting mine. I'd like to
bring over some of my comments there so they are not lost in the duplicate.

-- snip --
Steps to Reproduce:
1. Create data only css file

-- snip --
,0
0,=SUMME(1;1)
1,=WEBDIENST("http://localhost:8000";)
-- snap --

2. Open with  German version of Calc (Screenshot 'import dialog with
preview.png'). Observe that the preview renders all the formulas as _DATA_ as
it should be.
3. Click 'import'
4. Observe Screenshot 'imported.png'

Actual Results:
The two fields are not rendered as previewed, instead they are assumed to be
formulas and are executed. Luckily there seems to be a security safeguard that
at least blocks the http call from immediate execution. However even this block
is removed by a single click on the notice at the top of the window.

Expected Results:
I have imported a CSV file (which is a data only format), watched the file
beforehand in a text editor to see what I will be getting, watched the preview
for correctness and am still not getting the import that was previewed. This is
highly surprising and als a huge enabler for a full class of security problems.

If I want the data to be interpreted and changed by Libre Office Calc, that
needs to be a separate (off by default) check box that warns about the problems
and security risks this poses - especially if the preview is not complete and
therefore does not allow me to assess what checking this box would exactly do.

Several problems I see here:

a) The preview should match the actual imported data
b) It is highly surprising that importing a data only format will suddenly
interpret that data and not display what is in the file. This is especially
problematic if a web application exports data, that contains user controlled
inputs to exchange it to other applications and it gets imported in Calc at
some stage. The only workaround available is to know at export time, where the
file will be imported in later, so the export can be sanitised for the
importing application. This is highly unpractical and has a high likelihood of
data loss / unintended data changes if the file is imported in the wrong
application.
c) This is also highly surprising when one investigates the RFC for CSV:
 which states:

   Security considerations:

  CSV files contain passive text data that should not pose any
  risks.  However, it is possible in theory that malicious binary
  data may be included in order to exploit potential buffer overruns
  in the program processing CSV data.  Additionally, private data
  may be shared via this format (which of course applies to any text
  data).

This has many and quite surprising security considerations - so much so, that
OWASP maintains it as it's own category of security problem:
.

I learned of this because the German Corona Tracing App Luca was attacked
through this vector - but also users of web applications I maintain are
attackable by this problem.

I understand that this Is probably a long running convention for CSV import and
has an aspect of compatibility with other spreadsheet applications. However
this is a problematic behaviour for which there is no workaround when importing
data into Calc, and there needs to be a strategy for fixing - but at least
allowing a workaround for this.

I would like to suggest going at this in a multi step process - quite possibly
stretched out over a long period. Maybe even 5-10 years - but of course I would
like a faster transition period.

My suggestion is:

1. Add a setting on import that at least allows forcing Libre Office Calc to
interpret all imported data literally so there is at least a workaround
available immediately.
2. After some time, start warning on the import preview if the imported data
contains anything that LibreOffice would like to interpret (At least formulas,
but probably also data that could be auto formatted). This should explain the
problem and/or link to a website that explains the problem and the security
concerns.
3. After some more time, switch on this option by default and instead warn if
the imported data contains interpretable data. Maybe show a preview of what the
interpretation would change to allow the user to understand what this would do.

That way impact on existing users of that feature can be minimised, while still
there is at least an immediate workaround available. The time bought by this
measures can then be used to create the other suggested import features to make
the transition to not interpreting imported CSV data by default safe for
everyone.
-- snap --

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #12 from Mike Kaganski  ---
(In reply to Martin Häcker from comment #11)

Only commenting one single quotation below.

> a) The preview should match the actual imported data

No. CSV dialog does not fully process the data, it only shows which data would
go where. It will not match the end result, it would be undesirable, including
possibility to see "empty" cells (where the result is e.g. a pair of quotes),
and that would make it unclear if the data ends in proper cells or shifted -
the whole purpose of the preview.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #13 from Mike Kaganski  ---
(In reply to Mike Kaganski from comment #12)
> including possibility to see "empty" cells (where the result is e.g. a pair
> of quotes)

I must admit that I was too fast to choose the example - where quotes already
get hidden in the dialog. Yet, there may be similar cases (say, with the
formulas); and honestly, I'd prefer that quotes also not hidden.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #14 from Martin Häcker  ---
Right now the import dialog shows the formulas un-evaluated, while later in the
document they are. There should be at leas the option for the user to get the
formulas as data in the actual spreadsheet after import - just like they are
shown in the preview.

I think this especially important because especially knowledgeable developers,
who are thorough and have actually read the CSV RFC which states: 

> CSV files contain passive text data

Also there is no reliably way to build a CSV export file that works reliably as
a data interchange format between applications and as a data format that can be
imported into Spreadsheet software at the same time.

To quote  

-- snip --
The nasty end result is that when generating the csv export you must know how
the export is to be used.

If it is to be used in a spreadsheet application by a user to calculate things
visually, you should escape things with a tab. This is actually even more
important since you wouldn’t want the string “-2+3” in a programming language
appearing as 1 when exported to a spreadsheet.
If it is to be used as an interchange format then do not escape anything.
If you do not know or if it is to be used in a spreadsheet application or then
later that spreadsheet will be used as an import source for software, give up,
swear off the world, get yourself a cabin with the woods and maybe try being
friends with squirrels for a while. (Alternately, use Excel but always
disconnect from the network and follow all security prompts while doing any
work) (Edit: That probably won’t work 100% either since someone can still use a
macro to overwrite well known files with their own binary. Shit.).
It’s a nightmare of a scenario, it’s sinister, damaging, and with no clear
solution. Its also something that should be far far better known than it
currently is.
-- snap --

There should at least be support in Libre Office to allow one CSV formatted
file to be used unchanged in all of those contexts and allow it's use as a data
interchange format - just as it is meant to be.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #15 from Martin Häcker  ---
(As per my tests Calc is not quite as bad as Excel seems to be as exporting a
cell with '-3+2' is actually rendered as '-3+2' in Calc - even though when I
manually enter that same string in Calc it is instantly evaluated (and quietly
changed to '=-3+2' under the hood).

Once that change has happened in Calc though, there is no going back to the
original data - it will always be changed by Calc when exiting the cell editor.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs

[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

Eike Rathke  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED
   Assignee|libreoffice-b...@lists.free |er...@redhat.com
   |desktop.org |

-- 
You are receiving this mail because:
You are the assignee for the bug.