MAGETWO-37209: Excel Formula Injection via CSV/XML export - 2.x

orlangur · orlangur · commit 7d31bc4c74ca · 2015-05-27T13:15:37.000-04:00
diff --git a/dev/tests/integration/testsuite/Magento/Framework/Filesystem/File/WriteTest.php b/dev/tests/integration/testsuite/Magento/Framework/Filesystem/File/WriteTest.php
@@ -81,7 +81,7 @@ public function writeProvider()
             ['new1.csv', 'w', 'write check', 11],
             ['new3.csv', 'a', 'write check', 11],
             ['new5.csv', 'x', 'write check', 11],
-            ['new7.csv', 'c', 'write check', 11]
+            ['new7.csv', 'c', 'write check', 11],
         ];
     }
 
@@ -117,40 +117,42 @@ public function writeAndReadProvider()
             ['new2.csv', 'w+', 'write check', 11],
             ['new4.csv', 'a+', 'write check', 11],
             ['new6.csv', 'x+', 'write check', 11],
-            ['new8.csv', 'c+', 'write check', 11]
+            ['new8.csv', 'c+', 'write check', 11],
         ];
     }
 
     /**
      * Writes one CSV row to the file.
      *
-     * @dataProvider csvProvider
+     * @dataProvider csvDataProvider
+     * @param array $expectedData
      * @param string $path
      * @param array $data
      * @param string $delimiter
      * @param string $enclosure
      */
-    public function testWriteCsv($path, array $data, $delimiter = ',', $enclosure = '"')
+    public function testWriteCsv($expectedData, $path, array $data, $delimiter = ',', $enclosure = '"')
     {
         $file = $this->getFileInstance($path, 'w+');
         $result = $file->writeCsv($data, $delimiter, $enclosure);
         $file->seek(0);
         $read = $file->readCsv($result, $delimiter, $enclosure);
         $file->close();
         $this->removeCurrentFile();
-        $this->assertEquals($data, $read);
+        $this->assertEquals($expectedData, $read);
     }
 
     /**
      * Data provider for testWriteCsv
      *
      * @return array
      */
-    public function csvProvider()
+    public function csvDataProvider()
     {
         return [
-            ['newcsv1.csv', ['field1', 'field2'], ',', '"'],
-            ['newcsv1.csv', ['field1', 'field2'], '%', '@']
+            [['field1', 'field2'], 'newcsv1.csv', ['field1', 'field2'], ',', '"'],
+            [['field1', 'field2'], 'newcsv1.csv', ['field1', 'field2'], '%', '@'],
+            [[' =field1', 'field2'], 'newcsv1.csv', ['=field1', 'field2'], '%', '@'],
         ];
     }
 
@@ -201,7 +203,7 @@ private function getFileInstance($path, $mode)
             [
                 'path' => $this->currentFilePath,
                 'driver' => new \Magento\Framework\Filesystem\Driver\File(),
-                'mode' => $mode
+                'mode' => $mode,
             ]
         );
     }
diff --git a/lib/internal/Magento/Framework/Filesystem/Driver/File.php b/lib/internal/Magento/Framework/Filesystem/Driver/File.php
@@ -7,8 +7,8 @@
  */
 namespace Magento\Framework\Filesystem\Driver;
 
-use Magento\Framework\Filesystem\DriverInterface;
 use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Filesystem\DriverInterface;
 
 class File implements DriverInterface
 {
@@ -299,7 +299,7 @@ public function copy($source, $destination, DriverInterface $targetDriver = null
                     [
                         $source,
                         $destination,
-                        $this->getWarningMessage()
+                        $this->getWarningMessage(),
                     ]
                 )
             );
@@ -329,7 +329,7 @@ public function symlink($source, $destination, DriverInterface $targetDriver = n
                     [
                         $source,
                         $destination,
-                        $this->getWarningMessage()
+                        $this->getWarningMessage(),
                     ]
                 )
             );
@@ -644,6 +644,16 @@ public function fileWrite($resource, $data)
      */
     public function filePutCsv($resource, array $data, $delimiter = ',', $enclosure = '"')
     {
+        /**
+        * Security enhancement for CSV data processing by Excel-like applications.
+        * @see https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
+        */
+        foreach ($data as $key => $value) {
+            if (isset($value[0]) && $value[0] === '=') {
+                $data[$key] = ' ' . $value;
+            }
+        }
+
         $result = @fputcsv($resource, $data, $delimiter, $enclosure);
         if (!$result) {
             throw new FileSystemException(
diff --git a/lib/internal/Magento/Framework/Filesystem/Io/File.php b/lib/internal/Magento/Framework/Filesystem/Io/File.php
@@ -177,6 +177,15 @@ public function streamWriteCsv(array $row, $delimiter = ',', $enclosure = '"')
         if (!$this->_streamHandler) {
             return false;
         }
+        /**
+         * Security enhancement for CSV data processing by Excel-like applications.
+         * @see https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
+         */
+        foreach ($row as $key => $value) {
+            if (isset($value[0]) && $value[0] === '=') {
+                $row[$key] = ' ' . $value;
+            }
+        }
         return @fputcsv($this->_streamHandler, $row, $delimiter, $enclosure);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@`
`7`	`7`	`*/`
`8`	`8`	`namespace Magento\Framework\Filesystem\Driver;`
`9`	`9`
`10`		`-use Magento\Framework\Filesystem\DriverInterface;`
`11`	`10`	`use Magento\Framework\Exception\FileSystemException;`
	`11`	`+use Magento\Framework\Filesystem\DriverInterface;`
`12`	`12`
`13`	`13`	`class File implements DriverInterface`
`14`	`14`	`{`
`@@ -299,7 +299,7 @@ public function copy($source, $destination, DriverInterface $targetDriver = null`
`299`	`299`	`[`
`300`	`300`	`$source,`
`301`	`301`	`$destination,`
`302`		`- $this->getWarningMessage()`
	`302`	`+ $this->getWarningMessage(),`
`303`	`303`	`]`
`304`	`304`	`)`
`305`	`305`	`);`
`@@ -329,7 +329,7 @@ public function symlink($source, $destination, DriverInterface $targetDriver = n`
`329`	`329`	`[`
`330`	`330`	`$source,`
`331`	`331`	`$destination,`
`332`		`- $this->getWarningMessage()`
	`332`	`+ $this->getWarningMessage(),`
`333`	`333`	`]`
`334`	`334`	`)`
`335`	`335`	`);`
`@@ -644,6 +644,16 @@ public function fileWrite($resource, $data)`
`644`	`644`	`*/`
`645`	`645`	`public function filePutCsv($resource, array $data, $delimiter = ',', $enclosure = '"')`
`646`	`646`	`{`
	`647`	`+ /**`
	`648`	`+ * Security enhancement for CSV data processing by Excel-like applications.`
	`649`	`+ * @see https://bugzilla.mozilla.org/show_bug.cgi?id=1054702`
	`650`	`+ */`
	`651`	`+ foreach ($data as $key => $value) {`
	`652`	`+ if (isset($value[0]) && $value[0] === '=') {`
	`653`	`+ $data[$key] = ' ' . $value;`
	`654`	`+ }`
	`655`	`+ }`
	`656`	`+`
`647`	`657`	`$result = @fputcsv($resource, $data, $delimiter, $enclosure);`
`648`	`658`	`if (!$result) {`
`649`	`659`	`throw new FileSystemException(`