CVE-2021-41270: Prevent CSV Injection via formulas

Description

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.

In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.

Since then, OWASP added 2 chars in that list:

Tab (0x09)
Carriage return (0x0D)

This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value.

Resolution

Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Created 4y | Nov 24, 2021, 9:20:09 AM

Other posts in this group

SymfonyOnline June 2025: Keynote “Symfony in 2025, Scaling to Zero.”

SymfonyOnline June 2025 is almost here, starting in a few weeks on:

June 10-11: Workshop days. June 12-13: Online conference days in English. All talks will be available for replay as soon as

May 16, 2025, 3:10:26 PM | Symfony

New in Symfony 7.3: Dependency Injection Improvements

Symfony 7.3 introduces several enhancements to the DependencyInjection component that simplify service configuration, make autoconfiguration more flexible, and enable environment-specific aliasing.

May 16, 2025, 8:10:11 AM | Symfony