CVE-2021-41270: Prevent CSV Injection via formulas

Description

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker.

In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t.

Since then, OWASP added 2 chars in that list:

Tab (0x09)
Carriage return (0x0D)

This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value.

Resolution

Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Created 3y | Nov 24, 2021, 9:20:09 AM

Other posts in this group

Symfony 6.4.19 released

Symfony 6.4.19 has just been released. Here is the list of the most important changes since 6.4.18:

bug #59198 [Messenger] Filter out non-consumable receivers when registering ConsumeMessagesComm

Feb 26, 2025, 12:20:03 PM | Symfony

Symfony 7.2.4 released

Symfony 7.2.4 has just been released. Here is the list of the most important changes since 7.2.3:

bug #59198 [Messenger] Filter out non-consumable receivers when registering ConsumeMessagesComman

Feb 26, 2025, 12:20:03 PM | Symfony

Just one month to go before SymfonyLive Paris 2025 workshops begin!

SymfonyLive Paris 2025, conference in French language only, will already start in 1 month with the workshops! Have a look on the topics and join us! Schedule details are available here.

📣

Feb 25, 2025, 3:20:33 PM | Symfony

New Core Team Members, 2025 Edition

A few weeks ago, I had the pleasure of announcing the formation of the Symfony UX Core Team, a dedicated group working to enhance the frontend development experience within the Symfony ecosystem. Toda

Feb 24, 2025, 4:20:03 PM | Symfony

SymfonyLive Paris 2025 : Du lego de composants pour un bundle Gotenberg !

SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.

Feb 24, 2025, 1:50:07 PM | Symfony

A Week of Symfony #947 (17-23 February 2025)

This week, development activity focused on new security features. The upcoming Symfony 7.3 version added support for security voters to explain their vote, improved the IsGranted attribute to allow us

Feb 23, 2025, 10:10:09 AM | Symfony

SymfonyLive Berlin 2025: Agentic Applications with Symfony

SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.

We’re thrilled to announce

Feb 21, 2025, 9:20:12 AM | Symfony

Techie