Fixed a potential CSV injection vulnerability.

craftcms · Sep 27, 2021 · c9cb222 · c9cb222
1 parent 02ed3eb
commit c9cb222
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,9 @@
 - Fixed a bug where duplicated entries that were created via an “Applying new propagation method” job weren’t getting positioned correctly based on the original entries’ structure. ([#9782](https://github.com/craftcms/cms/issues/9782))
 - Fixed a bug where unpublished drafts could disappear after clicking “Create entry” if the URI could not be made unique. ([#9873](https://github.com/craftcms/cms/issues/9873))
 
+### Security
+- Fixed a potential CSV injection vulnerability.
+
 ## 3.7.13 - 2021-09-14
 
 ### Added

diff --git a/src/web/CsvResponseFormatter.php b/src/web/CsvResponseFormatter.php
@@ -83,10 +83,18 @@ public function format($response)
             fputcsv($fp, $headers, ',');
         }
 
+        $suspectCharacters = ['=', '-', '+', '@'];
+
         foreach ($data as $row) {
             foreach ($row as &$field) {
                 if (is_scalar($field)) {
                     $field = (string)$field;
+
+                    // Guard against CSV injection attacks
+                    // https://github.com/thephpleague/csv/issues/268
+                    if ($field && $field !== '' && in_array($field[0], $suspectCharacters)) {
+                        $field = "\t$field";
+                    }
                 } else {
                     $field = Json::encode($field);
                 }