niftycent.com
NiftyCent
US
Login
Marketplace
Discounts

CVE-2021-41270: Prevent CSV Injection via formulas

Description

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.

In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.

Since then, OWASP added 2 chars in that list:

  • Tab (0x09)
  • Carriage return (0x0D)

This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value.

Resolution

Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Created 4y | Nov 24, 2021, 9:20:09 AM


Login to add comment

Other posts in this group

Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6
Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6

At Wide, Micropole’s digital agency, they help leading brands modernize their digital infrastructures while ensuring scalability, security, and performance. When Audi France approached them to migrate

Jul 4, 2025, 9:40:14 AM | Symfony
Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)
Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)

Vente-unique.com, a leading European online retailer of furniture and home decor, operates in 11 countries, powered by a team of 400 professionals and serving more than 3 million customers. From 15 ye

Jul 2, 2025, 9:10:03 AM | Symfony
A Week of Symfony #965 (June 23–29, 2025)
A Week of Symfony #965 (June 23–29, 2025)

This week, Symfony 6.4.23, 7.2.8 and 7.3.1 maintenance versions were released. Meanwhile, the upcoming Symfony 7.4 version continued adding new features such as better controller helpers, more precisi

Jun 29, 2025, 9:10:15 AM | Symfony
Symfony 6.4.23 released
Symfony 6.4.23 released

Symfony 6.4.23 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in you

Jun 28, 2025, 9:50:15 AM | Symfony
Symfony 7.2.8 released
Symfony 7.2.8 released

Symfony 7.2.8 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

Jun 28, 2025, 9:50:15 AM | Symfony
Symfony 7.3.1 released
Symfony 7.3.1 released

Symfony 7.3.1 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

Jun 28, 2025, 9:50:14 AM | Symfony
A Week of Symfony #964 (June 16–22, 2025)
A Week of Symfony #964 (June 16–22, 2025)

This week, development activity was intense, with many bug fixes in the maintained branches, numerous deprecation removals in the 8.0 branch, and new features added to the 7.4 branch, including tighte

Jun 22, 2025, 8:10:05 AM | Symfony
Techie
Techie