Bug Hunting Session
Bug 114878 - Add option to CSV import to disable formula injection
Summary: Add option to CSV import to disable formula injection
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
Inherited From OOo
Hardware: All All
: medium enhancement
Assignee: Not Assigned
URL: http://georgemauer.net/2017/10/07/csv...
Whiteboard:
Keywords:
Depends on:
Blocks: CSV-Import
  Show dependency treegraph
 
Reported: 2018-01-07 11:23 UTC by "fb_!v=
Modified: 2019-02-04 09:08 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description "fb_!v= 2018-01-07 11:23:04 UTC
Description:
Maliciously crafted CSV document leads, in violation of RFC4180, to remote code execution.

http://georgemauer.net/2017/10/07/csv-injection.html
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20injection


Steps to Reproduce:
http://georgemauer.net/2017/10/07/csv-injection.html
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20injection


Actual Results:  
RCE

Expected Results:
No RCE. Fields must not be interpreted as formulas in such kinds of documents.


Reproducible: Always


User Profile Reset: No



Additional Info:


User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Comment 1 Jean-Baptiste Faure 2018-01-07 17:07:17 UTC
Please, have a look at https://www.libreoffice.org/about-us/security/

@Eike: you may be interested in this bug report.

Best regards. JBF
Comment 2 Mike Kaganski 2018-01-08 01:46:14 UTC
Actually, this is not a "remote" code execution. And this doesn't differ from any other spreadsheet file being opened in a spreadsheet application, where formulas can appear. If you use XLS, or ODS, or anything, there are formulas, and they may do all the same kind of things. The only difference here is that it's not a widespread knowledge that CSV files can contain that, too, despite the RFC says otherwise.

RFC is great, but current state (with billions of existing files that require to keep working) is the de-facto standard. And that isn't gonna change. The only things required (not here, but universally) is amendment to the RFC that makes it up-to-date, and wide informing.
Comment 3 Xisco Faulí 2018-02-14 09:55:01 UTC
@Mike Kaganski, should it be closed as RESOLVED WONTFIX ?
Comment 4 Jean-Baptiste Faure 2018-02-18 22:26:53 UTC
(In reply to Xisco Faulí from comment #3)
> @Mike Kaganski, should it be closed as RESOLVED WONTFIX ?

If I understand well what Mike wrote, it should be closed as RESOLVED NOTABUG.
WONTFIX agrees there is a problem in LibreOffice. It seems it is not the case.

Best regards. JBF
Comment 5 Mike Kaganski 2018-02-19 05:38:31 UTC
Well, I'd close it as WONTFIX (after updating our help), because the issue of discrepancy between documentation and implementation indeed exists.

But I only expressed my personal opinion, and I suppose that erAck's opinion here is much more relevant.
Comment 6 Eike Rathke 2018-02-19 14:16:54 UTC
With master, 6.0.1 and 5.4.5 if a DDE() function is used in a formula imported (also from CSV) it leads to the "This file contains links to other files. Should they be updated?" dialogue and the function is only executed after confirmation. On master the modal dialogue was changed to an InfoBar (and reading "This file contains links to other files or external resources" to point out it's not only about local files) so the user can inspect Edit -> Links what external data would be accessed before confirming.
Comment 7 Eike Rathke 2018-02-19 14:38:29 UTC
We could add yet another option to the CSV import dialogue like "Import formulas as text" or some such and pre-set checked for unaware users.
Comment 8 Eike Rathke 2018-03-02 17:34:27 UTC
Adjusting title because with the current releases there is no vulnerability, executing DDE is not possible without user interaction.
Comment 9 jomo 2018-04-12 15:27:09 UTC
(In reply to Mike Kaganski from comment #2)
> this doesn't differ from any other spreadsheet file being opened in a spreadsheet application, where formulas can appear. If you use XLS, or ODS, or anything, there are formulas, and they may do all the same kind of things.

I disagree. CSV is not a "spreadsheet file" comparable to XLS or ODS. CSV is Comma-separated values (where all values are text).

When importing, say, a CSV file with a list of comments, I would not expect formulas to be executed only because a comment started with an equals sign.