This originally came in as 656277, which was rather less interesting.

The claim now is that some CSV viewers are so absurdly broken that they'll run code based on the contents of the CSV file.

It seems pretty obvious that this is a bug in the CSV viewer, not in the exporter.

If the Monorail team wanted to provide a DiD for this, we probably need to move this bug over at https://bugs.chromium.org/p/monorail/issues/list

No this bug is on the exporter,

please read more about CSV injection vulnerabilities amd see these bugs.

https://hackerone.com/reports/72785
https://hackerone.com/reports/126109
 

It's a stretch to call it a bug in the exporter, insofar as the exporter doesn't do anything unreasonable.

I've confirmed that a really really naive Excel user can suffer code execution via this scenario. Screenshot attached.

Deleted: ExploitInExcel2016.png 36.6 KB

	ExploitInExcel2016.png 36.6 KB View Download

I really know that this type of vulnerabilitoes are not famous like XSS and SQL injection etc..

So please if you want to read more abote this you can read here

https://www.contextis.com//resources/blog/comma-separated-vulnerabilities/

and thanks very much :)

If we decided to fix this, we could probably make a simple modification to \infra\appengine\monorail\tracker\tablecell.py's function

class TableCellSummaryCSV(table_view_helpers.TableCell):
  """TableCell subclass for showing issue summaries escaped for CSV."""

Yes,
Will you fix it then?

Moved to https://bugs.chromium.org/p/monorail/issues/detail?id=1996

Just asking if there will be any kind of reword when it's fixed? :)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot