Page MenuHomestyx hydra
Files F176450

No OneTemporary
Actions

View Options

diff --git a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
index 67f0a4963a..8f3879d5fb 100644
--- a/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
+++ b/src/infrastructure/export/format/PhabricatorCSVExportFormat.php
@@ -1,60 +1,70 @@
<?php
final class PhabricatorCSVExportFormat
extends PhabricatorExportFormat {
const EXPORTKEY = 'csv';
private $rows = array();
public function getExportFormatName() {
return pht('Comma-Separated Values (.csv)');
}
public function isExportFormatEnabled() {
return true;
}
public function getFileExtension() {
return 'csv';
}
public function getMIMEContentType() {
return 'text/csv';
}
public function addHeaders(array $fields) {
$headers = mpull($fields, 'getLabel');
$this->addRow($headers);
}
public function addObject($object, array $fields, array $map) {
$values = array();
foreach ($fields as $key => $field) {
$value = $map[$key];
$value = $field->getTextValue($value);
$values[] = $value;
}
$this->addRow($values);
}
private function addRow(array $values) {
$row = array();
foreach ($values as $value) {
+
+ // Excel is extremely interested in executing arbitrary code it finds in
+ // untrusted CSV files downloaded from the internet. When a cell looks
+ // like it might be too tempting for Excel to ignore, mangle the value
+ // to dissuade remote code execution. See T12800.
+
+ if (preg_match('/^\s*[+=@-]/', $value)) {
+ $value = '(!) '.$value;
+ }
+
if (preg_match('/\s|,|\"/', $value)) {
$value = str_replace('"', '""', $value);
$value = '"'.$value.'"';
}
$row[] = $value;
}
$this->rows[] = implode(',', $row);
}
public function newFileData() {
return implode("\n", $this->rows);
}
}

File Metadata

Mime Type
text/x-diff
Expires
Tue, Jun 10, 6:23 PM (1 d, 8 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
140714
Default Alt Text
(1 KB)

Event Timeline

styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)