John Rouillard <rou...@cs.umb.edu> added the comment:

Hi all:

If the generated csv line looks like:

  "-2+3+cmd|' /C calc'!A0","7","stalled","I cansee","","2017-10-05 22:15","0"

with the quotes surrounding the injected data, will that prevent the injection?

To generate the above I changed the calls to csv.writer in the handler function
from:

   writer = csv.writer(wfile)

to

   writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC)

so it quotes more fields. QUOTE_NONNUMERIC can also be replaced by
QUOTE_ALL. In the case above the "7" field is an id which
is a string and not a number so it is quoted.

If this works, I will open an upstream ticket and fix it upstream.

You guys will still want to fix it locally.

-- rouilj

----------
nosy: +rouilj

_______________________________________________________
PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue580>
_______________________________________________________
_______________________________________________
Tracker-discuss mailing list
Tracker-discuss@python.org
https://mail.python.org/mailman/listinfo/tracker-discuss
Code of Conduct: https://www.python.org/psf/codeofconduct/

Reply via email to