John Rouillard <rou...@cs.umb.edu> added the comment: Hi all:
If the generated csv line looks like: "-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0" with the quotes surrounding the injected data, will that prevent the injection? To generate the above I changed the calls to csv.writer in the handler function from: writer = csv.writer(wfile) to writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC) so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by QUOTE_ALL. In the case above the "7" field is an id which is a string and not a number so it is quoted. If this works, I will open an upstream ticket and fix it upstream. You guys will still want to fix it locally. -- rouilj ---------- nosy: +rouilj _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue580> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss Code of Conduct: https://www.python.org/psf/codeofconduct/
