Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 42363200BA7 for ; Fri, 7 Oct 2016 02:31:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 40C62160AE0; Fri, 7 Oct 2016 00:31:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7FE64160ADB for ; Fri, 7 Oct 2016 02:31:21 +0200 (CEST) Received: (qmail 5479 invoked by uid 500); 7 Oct 2016 00:31:20 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 5468 invoked by uid 99); 7 Oct 2016 00:31:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Oct 2016 00:31:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 67D932C0086 for ; Fri, 7 Oct 2016 00:31:20 +0000 (UTC) Date: Fri, 7 Oct 2016 00:31:20 +0000 (UTC) From: "Phil Varner (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 07 Oct 2016 00:31:22 -0000 Phil Varner created CSV-199: ------------------------------- Summary: CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks Key: CSV-199 URL: https://issues.apache.org/jira/browse/CSV-199 Project: Commons CSV Issue Type: New Feature Components: Printer Affects Versions: 1.4 Reporter: Phil Varner A common use for Commons CSV is to export user-generated data for analysis in spreadsheet software like Excel. One attack against this usage is for a user to create data that appears as a formula to Excel, such that excel executes it. For example, a simple non-malicious example of this is a u CSV file like: {code} Name,Email,Favorite Color Aaron Aaronson,aa@example.com,=1+1 {code} When opened, Excel will execute the macro and display "2". A malicious example could, for example, use "=cmd|' /C calc'!A0", causing a command prompt to be opened. This can be exploited with values starting with =, +, -, or . This feature would add a flag to CSVFormat called "escapeFormulas" that would defend against creating vulnerable CSV files like this by prepending a single-quote to any CSV column value starting with the four aforementioned characters. Also added would be a predefined format EXCEL_WITHOUT_FORMULAS that could be used for safely exporting data that was not intended to contain formulas. I believe it is important to add this as a feature to CSVFormat rather than relying on users to manually escape formulas because many users do not know about this security vulnerability, but would prefer to defend against it if aware. More information: https://www.owasp.org/index.php/CSV_Excel_Macro_Injection https://hackerone.com/reports/72785 http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)