CVE-2021-41270: Prevent CSV Injection via formulas
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we’ve added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, – or @ by a tab t.
Since then, OWASP added 2 chars in that list:
– Tab (0x09)
– Carriage return (0x0D)
This makes our previous prefix char (Tab t) part of the vulnerable characters, and OWASP suggests using the single quote ‚ for prefixing the value.
Symfony now follows the OWASP recommendations and use the single quote ‚ to prefix formulas and adds the prefix to cells starting by t, r as well as =, +, – and @.
The patch for this issue is available here for branch 4.4.
We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.