[Tracker-discuss] [issue580] CSV Injection Vulnerability

2017-10-05 Thread John Rouillard 

John Rouillard  added the comment:

Hi all:

If the generated csv line looks like:

  "-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0"

with the quotes surrounding the injected data, will that prevent the injection?

To generate the above I changed the calls to csv.writer in the handler function
from:

   writer = csv.writer(wfile)

to

   writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)

so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by
QUOTE_ALL. In the case above the "7" field is an id which
is a string and not a number so it is quoted.

If this works, I will open an upstream ticket and fix it upstream.

You guys will still want to fix it locally.

-- rouilj

--
nosy: +rouilj

___
PSF Meta Tracker 

___
___
Tracker-discuss mailing list
Tracker-discuss@python.org
https://mail.python.org/mailman/listinfo/tracker-discuss
Code of Conduct: https://www.python.org/psf/codeofconduct/

[Tracker-discuss] [issue580] CSV Injection Vulnerability

2016-02-23 Thread R David Murray 

R David Murray added the comment:

This should be reported to Roundup upstream.  The fix should be simple (just 
changing the csv dialect), so it doesn't really matter who develops the patch 
as long as both upstream and we apply it :)

--
nosy: +r.david.murray
status: unread -> chatting

___
PSF Meta Tracker 

___
___
Tracker-discuss mailing list
Tracker-discuss@python.org
https://mail.python.org/mailman/listinfo/tracker-discuss

[Tracker-discuss] [issue580] CSV Injection Vulnerability

2016-02-23 Thread Maciej Szulik 

New submission from Maciej Szulik:

Copied from http://bugs.python.org/issue26399:

The "Download as CSV " feature of bugs.python.org does not properly "escape" 
fields. This allows an adversary to turn a field into active content so when we 
download the csv and opens it, the active content gets executed. Here is more 
information about this issue:
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

Steps to Reproduce.
1. Enter the title with the payload : -2+3+cmd|' /C calc'!A0
2. Download the bugs as CSV
3. Open it with excel and Calc will get prompted.

Depending upon the system user privileges, an attacker can perform various 
tasks using the same.
If the user is with high privilege, it is easy to change the system password as 
mentioned below
-2+3+cmd|' /C net user administrator lol@123'!A0

Mitigations:
Ensure all fields are properly "escaped" before returning the CSV file to the 
user.

Regards,
Acid

Impact of this one is high, as download as CSV is present for guest user as 
well. Means anyone can download the bugs using "Download as CSV " function and 
as the file is downloaded from the trusted resource so the possibility is high 
the code will get executed.

--
messages: 3008
nosy: maciej.szulik
priority: urgent
status: unread
title: CSV Injection Vulnerability

___
PSF Meta Tracker 

___
___
Tracker-discuss mailing list
Tracker-discuss@python.org
https://mail.python.org/mailman/listinfo/tracker-discuss