From c60df53f399bb7652ebb238b455174c6f0d4be12 Mon Sep 17 00:00:00 2001 From: Tony Dunlop Date: Tue, 18 Sep 2018 12:26:30 +0100 Subject: [PATCH] negate formula injection attacks in downloaded CSV files The current setup is vulnerable to CSV formula injection attacks, this negates it. However it might need to be configurable to allow cases where formulas are required. See below for further information: https://www.contextis.com/blog/comma-separated-vulnerabilities http://georgemauer.net/2017/10/07/csv-injection.html --- system/database/DB_utility.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/system/database/DB_utility.php b/system/database/DB_utility.php index 6b8c95e9828..b81f2ae704e 100644 --- a/system/database/DB_utility.php +++ b/system/database/DB_utility.php @@ -245,14 +245,21 @@ public function csv_from_result(CI_DB_result $query, $delim = ',', $newline = "\ } $out = substr($out, 0, -strlen($delim)).$newline; - + $unsafe_chars=array('=','+','-','@'); + // Next blast through the result array and build out the rows while ($row = $query->unbuffered_row('array')) { $line = array(); foreach ($row as $item) { - $line[] = $enclosure.str_replace($enclosure, $enclosure.$enclosure, $item).$enclosure; + $first = $item[0]; + $prepend=''; + if (in_array($first, $unsafe_chars)); + $prepend="\t"; + } + + $line[] = $enclosure.$prepend.str_replace($enclosure, $enclosure.$enclosure, trim($item)).$enclosure; } $out .= implode($delim, $line).$newline; }