VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Jun 3, 2020· Updated Aug 4, 2024

Potential CSV Injection vector in OctoberCMS

CVE-2020-5299

Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability in the victims spreadsheet software of choice. 2. Control data that would potentially be exported through the ImportExportController by a theoretical victim. 3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software. Issue has been patched in Build 466 (v1.0.466).

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
october/backendPackagist
>= 1.0.319, < 1.0.4661.0.466

Affected products

1

Patches

2
802d8c8e09a2

Temporary workaround until the L6 upgrade can be merged in to use league/csv >= 9.1

https://github.com/octobercms/octoberLuke TowersMar 31, 2020via ghsa
commit
2 files changed · +16 0
  • modules/backend/behaviors/ImportExportController.php+8 0 modified
    @@ -11,6 +11,7 @@
 use Illuminate\Database\Eloquent\MassAssignmentException;
 use League\Csv\Reader as CsvReader;
 use League\Csv\Writer as CsvWriter;
+use October\Rain\Parse\League\EscapeFormula as CsvEscapeFormula;
 use ApplicationException;
 use SplTempFileObject;
 use Exception;
@@ -624,6 +625,9 @@ public function exportFromList($definition = null, $options = [])
         $csv->setEnclosure($options['enclosure']);
         $csv->setEscape($options['escape']);
 
+        // Temporary until upgrading to league/csv >= 9.1.0 (will be $csv->addFormatter($formatter))
+        $formatter = new CsvEscapeFormula();
+
         /*
          * Add headers
          */
@@ -657,6 +661,10 @@ public function exportFromList($definition = null, $options = [])
                 }
                 $record[] = $value;
             }
+
+            // Temporary until upgrading to league/csv >= 9.1.0
+            $record = $formatter($record);
+
             $csv->insertOne($record);
         }
  • modules/backend/models/ExportModel.php+8 0 modified
    @@ -5,6 +5,7 @@
 use Model;
 use Response;
 use League\Csv\Writer as CsvWriter;
+use October\Rain\Parse\League\EscapeFormula as CsvEscapeFormula;
 use ApplicationException;
 use SplTempFileObject;
 
@@ -111,6 +112,9 @@ protected function processExportData($columns, $results, $options)
             $csv->setEscape($options['escape']);
         }
 
+        // Temporary until upgrading to league/csv >= 9.1.0 (will be $csv->addFormatter($formatter))
+        $formatter = new CsvEscapeFormula();
+
         /*
          * Add headers
          */
@@ -124,6 +128,10 @@ protected function processExportData($columns, $results, $options)
          */
         foreach ($results as $result) {
             $data = $this->matchDataToColumns($result, $columns);
+
+            // Temporary until upgrading to league/csv >= 9.1.0
+            $data = $formatter($data);
+
             $csv->insertOne($data);
         }
c84bf03f5060

Temporary workaround until the L6 upgrade can be merged in to use league/csv >= 9.1

https://github.com/octobercms/libraryLuke TowersMar 31, 2020via ghsa
commit
1 file changed · +145 0
  • src/Parse/League/EscapeFormula.php+145 0 added
    @@ -0,0 +1,145 @@
+<?php namespace October\Rain\Parse\League;
+
+/**
+ * League.Csv (https://csv.thephpleague.com)
+ *
+ * (c) Ignace Nyamagana Butera <nyamsprod@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use InvalidArgumentException;
+
+/**
+ * A Formatter to tackle CSV Formula Injection.
+ *
+ * @see http://georgemauer.net/2017/10/07/csv-injection.html
+ */
+class EscapeFormula
+{
+    /**
+     * Spreadsheet formula starting character.
+     */
+    const FORMULA_STARTING_CHARS = ['=', '-', '+', '@'];
+
+    /**
+     * Effective Spreadsheet formula starting characters.
+     *
+     * @var array
+     */
+    protected $special_chars = [];
+
+    /**
+     * Escape character to escape each CSV formula field.
+     *
+     * @var string
+     */
+    protected $escape;
+
+    /**
+     * New instance.
+     *
+     * @param string   $escape        escape character to escape each CSV formula field
+     * @param string[] $special_chars additional spreadsheet formula starting characters
+     *
+     */
+    public function __construct(string $escape = "\t", array $special_chars = [])
+    {
+        $this->escape = $escape;
+        if ([] !== $special_chars) {
+            $special_chars = $this->filterSpecialCharacters(...$special_chars);
+        }
+
+        $chars = array_merge(self::FORMULA_STARTING_CHARS, $special_chars);
+        $chars = array_unique($chars);
+        $this->special_chars = array_fill_keys($chars, 1);
+    }
+
+    /**
+     * Filter submitted special characters.
+     *
+     * @param string ...$characters
+     *
+     * @throws InvalidArgumentException if the string is not a single character
+     *
+     * @return string[]
+     */
+    protected function filterSpecialCharacters(string ...$characters): array
+    {
+        foreach ($characters as $str) {
+            if (1 != strlen($str)) {
+                throw new InvalidArgumentException(sprintf('The submitted string %s must be a single character', $str));
+            }
+        }
+
+        return $characters;
+    }
+
+    /**
+     * Returns the list of character the instance will escape.
+     *
+     * @return string[]
+     */
+    public function getSpecialCharacters(): array
+    {
+        return array_keys($this->special_chars);
+    }
+
+    /**
+     * Returns the escape character.
+     */
+    public function getEscape(): string
+    {
+        return $this->escape;
+    }
+
+    /**
+     * League CSV formatter hook.
+     *
+     * @see escapeRecord
+     */
+    public function __invoke(array $record): array
+    {
+        return $this->escapeRecord($record);
+    }
+
+    /**
+     * Escape a CSV record.
+     */
+    public function escapeRecord(array $record): array
+    {
+        return array_map([$this, 'escapeField'], $record);
+    }
+
+    /**
+     * Escape a CSV cell if its content is stringable.
+     *
+     * @param mixed $cell the content of the cell
+     *
+     * @return mixed|string the escaped content
+     */
+    protected function escapeField($cell)
+    {
+        if (!$this->isStringable($cell)) {
+            return $cell;
+        }
+
+        $str_cell = (string) $cell;
+        if (isset($str_cell[0], $this->special_chars[$str_cell[0]])) {
+            return $this->escape.$str_cell;
+        }
+
+        return $cell;
+    }
+
+    /**
+     * Tells whether the submitted value is stringable.
+     *
+     * @param string|object $value
+     */
+    protected function isStringable($value): bool
+    {
+        return is_string($value) || method_exists($value, '__toString');
+    }
+}
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.