Merge pull request #136 from magento-nord/develop

Korshenko, Olexii(okorshenko) · Korshenko, Olexii(okorshenko) · commit 39cb0b9ca85a · 2015-11-05T16:44:38.000+02:00
MAGETWO-37209: Excel Formula Injection via CSV/XML export - 2.x
diff --git a/app/code/Magento/Catalog/view/adminhtml/web/catalog/product/composite/configure.js b/app/code/Magento/Catalog/view/adminhtml/web/catalog/product/composite/configure.js
@@ -7,7 +7,7 @@ define([
     "jquery/ui",
     "mage/translate",
     "prototype",
-    'Magento_Ui/js/modal/modal'
+    "Magento_Ui/js/modal/modal"
 ], function(jQuery){
 
     window.ProductConfigure = Class.create();
@@ -764,4 +764,4 @@ define([
     };
 
     productConfigure = new ProductConfigure();
-});
+});
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_index.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_index.xml
@@ -21,6 +21,7 @@
         </referenceBlock>
         <referenceContainer name="after.body.start">
             <block class="Magento\Backend\Block\Template" name="optional_zip_countries" as="optional_zip_countries" template="Magento_Directory::js/optional_zip_countries.phtml"/>
+            <block class="Magento\Catalog\Block\Adminhtml\Product\Composite\Configure" template="Magento_Catalog::catalog/product/composite/configure.phtml"/>
         </referenceContainer>
         <referenceContainer name="js">
             <block class="Magento\Backend\Block\Template" template="Magento_Sales::order/create/js.phtml" name="create"/>
@@ -75,8 +76,5 @@
                 </block>
             </block>
         </referenceBlock>
-        <referenceContainer name="before.body.end">
-            <block class="Magento\Catalog\Block\Adminhtml\Product\Composite\Configure" template="Magento_Catalog::catalog/product/composite/configure.phtml"/>
-        </referenceContainer>
     </body>
 </page>
diff --git a/lib/internal/Magento/Framework/Filesystem/Driver/File.php b/lib/internal/Magento/Framework/Filesystem/Driver/File.php
@@ -710,7 +710,7 @@ public function filePutCsv($resource, array $data, $delimiter = ',', $enclosure
             if (!is_string($value)) {
                 $value = (string)$value;
             }
-            if (isset($value[0]) && $value[0] === '=') {
+            if (isset($value[0]) && in_array($value[0], ['=', '+', '-'])) {
                 $data[$key] = ' ' . $value;
             }
         }
diff --git a/lib/internal/Magento/Framework/Filesystem/Io/File.php b/lib/internal/Magento/Framework/Filesystem/Io/File.php
@@ -190,7 +190,7 @@ public function streamWriteCsv(array $row, $delimiter = ',', $enclosure = '"')
             if (!is_string($value)) {
                 $value = (string)$value;
             }
-            if (isset($value[0]) && $value[0] === '=') {
+            if (isset($value[0]) && in_array($value[0], ['=', '+', '-'])) {
                 $row[$key] = ' ' . $value;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -710,7 +710,7 @@ public function filePutCsv($resource, array $data, $delimiter = ',', $enclosure`
`710`	`710`	`if (!is_string($value)) {`
`711`	`711`	`$value = (string)$value;`
`712`	`712`	`}`
`713`		`- if (isset($value[0]) && $value[0] === '=') {`
	`713`	`+ if (isset($value[0]) && in_array($value[0], ['=', '+', '-'])) {`
`714`	`714`	`$data[$key] = ' ' . $value;`
`715`	`715`	`}`
`716`	`716`	`}`
Original file line number	Diff line number	Diff line change
`@@ -190,7 +190,7 @@ public function streamWriteCsv(array $row, $delimiter = ',', $enclosure = '"')`
`190`	`190`	`if (!is_string($value)) {`
`191`	`191`	`$value = (string)$value;`
`192`	`192`	`}`
`193`		`- if (isset($value[0]) && $value[0] === '=') {`
	`193`	`+ if (isset($value[0]) && in_array($value[0], ['=', '+', '-'])) {`
`194`	`194`	`$row[$key] = ' ' . $value;`
`195`	`195`	`}`
`196`	`196`	`}`