[issue26399] CSV Injection Vulnerability

Maciej Szulik added the comment: Closing in favor of http://psf.upfronthosting.co.za/roundup/meta/issue580 -- nosy: +maciej.szulik resolution: -> wont fix status: open -> closed ___ Python tracker

[issue26399] CSV Injection Vulnerability

Brett Cannon added the comment: Tracker bugs should be reported to http://psf.upfronthosting.co.za/roundup/meta/ . -- nosy: +brett.cannon ___ Python tracker ___

[issue26399] CSV Injection Vulnerability

Acid added the comment: Impact of this one is high, as download as CSV is present for guest user as well. Means anyone can download the bugs using "Download as CSV " function and as the file is downloaded from the trusted resource so the possibility is high the code will get executed. ---

[issue26399] CSV Injection Vulnerability

New submission from Acid: The "Download as CSV " feature of bugs.python.org does not properly "escape" fields. This allows an adversary to turn a field into active content so when we download the csv and opens it, the active content gets executed. Here is more information about this issue: htt