An attacker could create an instance with a malicious name beginning
with an equals sign (=) or at sign (‘@’).
These are both recognized in Excel as metacharacters for a formula. The
attacker can create an instance name that includes a payload that will
execute code such as:
=cmd|' /C calc'!A0
This payload opens the calculator program when the resulting CSV is
opened on a Windows machine with Microsoft Excel. An attacker could
easily substitute this payload with another that runs any arbitrary
shell commands.
Quote the CSV output so this is no longer a possibility.
Closes-Bug: #1842749
Change-Id: I937fa2a14bb483d87f057b3e8be219ecdc9363eb