![]() An attacker could create an instance with a malicious name beginning with an equals sign (=) or at sign (‘@’). These are both recognized in Excel as metacharacters for a formula. The attacker can create an instance name that includes a payload that will execute code such as: =cmd|' /C calc'!A0 This payload opens the calculator program when the resulting CSV is opened on a Windows machine with Microsoft Excel. An attacker could easily substitute this payload with another that runs any arbitrary shell commands. Quote the CSV output so this is no longer a possibility. Closes-Bug: #1842749 Change-Id: I937fa2a14bb483d87f057b3e8be219ecdc9363eb |
||
---|---|---|
.. | ||
templates/overview | ||
__init__.py | ||
panel.py | ||
tests.py | ||
urls.py | ||
views.py |