Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Spreadsheets are vulnerable to hidden formulas in CSV files. If webform data is submitted by untrusted users, and the submissions are downloaded in CSV format, maliciously-formatted submission data may be used to create a security vulnerability. The Drupal security team has concluded that this vulnerability does not rest in webform, but rather in the spreadsheets. Nonetheless, a warning about opening downloaded submissions in CSV format with spreadsheets should be added to the webform download page.
For more information, see the headings "Formula Injection" and "Exploiting trust relationships" here: http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/.
Originally reported by zread.
Solution: Add the following warning to the download page when delimited text format is selected:
Warning: Opening delimited text files with spreadsheet applications may expose you to formula injection or other security vulnerabilities. When the submissions contain data from untrusted users and the downloaded file will be used with spreadsheets, choose Microsoft Excel format. Search "spreadsheet formula injection" for more information.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | webform-csv_warning-2788591-2.patch | 2.83 KB | DanChadwick |
Comments
Comment #3
DanChadwick CreditAttribution: DanChadwick at PreviousNext commentedCommitted to 7.x-4.x
Comment #4
DanChadwick CreditAttribution: DanChadwick at PreviousNext commentedComment #5
fenstratClosing to clear out the old Webform 8.x-4.x branch. See #2827845: [roadmap] YAML Form 8.x-1.x to Webform 8.x-5.x.