[Serializer] Fix security issue on CsvEncoder about CSV injection #24508
Conversation
0cfa2ac to
baf31e5
Compare
|
Great initiative 👍 I'd target 3.4. |
6d7dc03 to
e254fcb
Compare
src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
Outdated
Show resolved
Hide resolved
527dc6a to
fc743a1
Compare
|
@welcoMattic Nope, that would create merge conflicts when merging lower branches up to master. Thanks. |
|
Should we also allow to pass this option through the context so that you do not necessary have to configure this option globally? |
|
@xabbuh why not. We should also make the context |
|
👍 to allow overriding this option in the context. |
09a5ed5 to
9c0733d
Compare
|
Great! But as stated in the article, it's definitely not a security issue on our side. The current implementation respects the RFC (Excel and Google Sheets don't), and most software consuming CSV expect the current behavior. |
|
Thanks @dunglas! For documentation, should I create a new page under Serializer section? Named CsvEncoder, and where I explain why this options exists? |
|
Alternative approach might be to just add a normalizer. That would help with deserialization of such sanitized csvs too and doesn't pollute __construct arguments. I don't like having this in core anyway though, as it's security issue in Excel and Google sheets only and this is destructive kind of escaping |
|
Not sure if we need to support that in core. /cc @symfony/mergers |
|
👍 to include that as it's security feature that people should be aware about. |
There was a problem hiding this comment.
i think in 95% of the use cases, the serializer will be used to export data, which might include user provided input.
there is only a problem if this component is used to generate sheets with formula. i would add an explaination in the phpdoc to explain what this flag is about and say to set it to true when you don't intend to have formula in the csv you generate.
i am no merger, but +1 on this. it is a relevant security topic and obviously excel/libreoffice/google and whoever else is affected decided they rather not properly fix it, so its up to generators of csv files to ensure security.
i think this should be against 3.3 as that is the branch for security fixes.
|
👍 to support this feature too. But as it's definitely not a security fix (on our side), it's a new feature that should be merged in 4.1.
There is also a problem when the value start with |
|
i'd update the changelog and phpdoc as that will be relevant either way. i hope one of the maintainers can decide which version this should go. i can see the point of kevin, and its a good reason why its not on by default. but i feel it still is security relevant, even if its not a bug of symfony, but symfony helping around lax security of other tools - and as such should go into 3.3 or 3.4. |
|
I think that you can update and rebase the PR @welcoMattic |
|
@nicolas-grekas Done, I also fix @ostrolucky's comment. |
|
@welcoMattic thanks. Can you rebase to get rid of the merge commit? I invite you to squash while doing so. |
b98b9ab to
414a61d
Compare
|
|
||
| public function __construct(string $delimiter = ',', string $enclosure = '"', string $escapeChar = '\\', string $keySeparator = '.') | ||
| public function __construct(string $delimiter = ',', string $enclosure = '"', string $escapeChar = '\\', string $keySeparator = '.', $escapeFormulas = false) |
There was a problem hiding this comment.
missing bool type declaration for the new argument
414a61d to
a1b0bdb
Compare
|
Thanks for review @Tobion 👍 |
|
Thank you @welcoMattic. |
…V injection (welcoMattic) This PR was merged into the 4.1-dev branch. Discussion ---------- [Serializer] Fix security issue on CsvEncoder about CSV injection | Q | A | ------------- | --- | Branch? | master (4.1) | Bug fix? | no | New feature? | yes | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | License | MIT I read [this article](http://georgemauer.net/2017/10/07/csv-injection.html) about CSV injection and I thought it best to update the `CsvEncoder` so that it does not generate potentially malicious CSV files by default. Commits ------- a1b0bdb Fix security issue on CsvEncoder
I read this article about CSV injection and I thought it best to update the
CsvEncoderso that it does not generate potentially malicious CSV files by default.