Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.6k
Description
Symfony version(s) affected
5.4.45
Description
Whencsv_escape_formulas is set totrue thenCsvEncoder will escape strings that start with +, -, =, and others to prevent Excel from interpreting them as formulas and potentially causing a code execution attack. Seehttps://georgemauer.net/2017/10/07/csv-injection.html for more details.
HoweverCsvEncoder currently casts everything to a string before checking the starting characters meaning that negative number get escaped because the string starts with -. This means that when opened in a spreadsheet application that column is no longer treated as a number.
I do not believe negative numbers to be an attack vector so they do not need to be escaped.
How to reproduce
<?phpusePHPUnit\Framework\TestCase;useSymfony\Component\Serializer\Encoder\CsvEncoder;class CsvEncoderTestextends TestCase{publicfunctiontestNegativeInteger():void {$encoder =newCsvEncoder();$data = [ ['a' =>'-1','b' => -1], ['a' =>'0','b' =>0], ['a' =>'+1','b' =>1], ];$expectedResult =<<<CSVa,b'-1,-10,0'+1,1CSV;$result =$encoder->encode($data,'csv', [ CsvEncoder::ESCAPE_FORMULAS_KEY =>true, ]);$this->assertSame($expectedResult,$result); }publicfunctiontestNegativeFloat():void {$encoder =newCsvEncoder();$data = [ ['a' =>'-1.1','b' => -1.1], ['a' =>'0.1','b' =>0.1], ['a' =>'+1.1','b' =>1.1], ];$expectedResult =<<<CSVa,b'-1.1,-1.10.1,0.1'+1.1,1.1CSV;$result =$encoder->encode($data,'csv', [ CsvEncoder::ESCAPE_FORMULAS_KEY =>true, ]);$this->assertSame($expectedResult,$result); }}
Possible Solution
Exclude values of type integer and of type float from the escaping.
Additional Context
No response