[TASK] Sanitize CSV and XLS export against Excel hacks

einpraegsam · einpraegsam · commit 32f57bf73b37 · 2021-08-10T23:57:52.000+02:00
as described in https://typo3.org/security/advisory/typo3-psa-2021-002
diff --git a/Classes/Exception/OutdatedTypo3Exception.php b/Classes/Exception/OutdatedTypo3Exception.php
@@ -0,0 +1,10 @@
+<?php
+declare(strict_types = 1);
+namespace In2code\Powermail\Exception;
+
+/**
+ * OutdatedTypo3Exception
+ */
+class OutdatedTypo3Exception extends \Exception
+{
+}
diff --git a/Classes/Utility/CsvUtility.php b/Classes/Utility/CsvUtility.php
@@ -0,0 +1,31 @@
+<?php
+declare(strict_types = 1);
+namespace In2code\Powermail\Utility;
+
+use In2code\Powermail\Exception\OutdatedTypo3Exception;
+use TYPO3\CMS\Core\Utility\CsvUtility as CsvUtilityCore;
+
+/**
+ * CsvUtility
+ */
+class CsvUtility extends CsvUtilityCore
+{
+    /**
+     * See See https://typo3.org/security/advisory/typo3-psa-2021-002 for details
+     *
+     * @param string $value
+     * @return string
+     * @throws OutdatedTypo3Exception
+     */
+    public static function sanitizeCell(string $value): string
+    {
+        if (method_exists(__CLASS__, 'prefixControlLiterals')) {
+            return self::prefixControlLiterals($value);
+        }
+        throw new OutdatedTypo3Exception(
+            'Function prefixControlLiterals() does not exists in your TYPO3 instance. ' .
+                'Please update to the latest version.',
+            1628632343
+        );
+    }
+}
diff --git a/Classes/ViewHelpers/String/SanitizeCsvCellViewHelper.php b/Classes/ViewHelpers/String/SanitizeCsvCellViewHelper.php
@@ -0,0 +1,23 @@
+<?php
+declare(strict_types = 1);
+namespace In2code\Powermail\ViewHelpers\String;
+
+use In2code\Powermail\Utility\CsvUtility;
+use TYPO3Fluid\Fluid\Core\ViewHelper\AbstractViewHelper;
+
+/**
+ * SanitizeCsvCellViewHelper
+ * Because of a hijacking possibilit of Excel, we should clean the column value
+ * See https://typo3.org/security/advisory/typo3-psa-2021-002 and https://owasp.org/www-community/attacks/CSV_Injection
+ * for details
+ */
+class SanitizeCsvCellViewHelper extends AbstractViewHelper
+{
+    /**
+     * @return string
+     */
+    public function render(): string
+    {
+        return CsvUtility::sanitizeCell($this->renderChildren());
+    }
+}
diff --git a/Resources/Private/Templates/Module/ExportCsv.html b/Resources/Private/Templates/Module/ExportCsv.html
@@ -1,93 +1,94 @@
 {namespace vh=In2code\Powermail\ViewHelpers}
 <f:layout name="Export" />
 
-	Render Powermail CSV Export
-	{mails}					All Mails for exporting
-	{fieldsUids}			Fields to export (drag'n drop settings in module)
+    Render Powermail CSV Export
+    {mails}					All Mails for exporting
+    {fieldsUids}			Fields to export (drag'n drop settings in module)
 
 <f:section name="main"><vh:string.utf8ToUtf16><vh:string.trim>
 
-	<f:comment>
-		Headline
-	</f:comment>
-	<f:for each="{fieldUids}" as="fieldUid">
-		<f:if condition="{vh:condition.isNumber(val:fieldUid)}">
-			<f:then>
-				"<vh:string.removeQuote><vh:getter.getFieldLabelFromUid uid="{fieldUid}" /></vh:string.removeQuote>";
-			</f:then>
-			<f:else>
-				"<vh:string.removeQuote><f:translate key="\In2code\Powermail\Domain\Model\Mail.{vh:String.UnderscoredToLowerCamelCase(val:fieldUid)}" /></vh:string.removeQuote>";
-			</f:else>
-		</f:if>
-	</f:for>
-	<br />
+    <f:comment>
+        Headline
+    </f:comment>
+    <f:for each="{fieldUids}" as="fieldUid">
+        <f:if condition="{vh:condition.isNumber(val:fieldUid)}">
+            <f:then>
+                "<vh:string.removeQuote><vh:getter.getFieldLabelFromUid uid="{fieldUid}" /></vh:string.removeQuote>";
+            </f:then>
+            <f:else>
+                "<vh:string.removeQuote><f:translate key="\In2code\Powermail\Domain\Model\Mail.{vh:String.UnderscoredToLowerCamelCase(val:fieldUid)}" /></vh:string.removeQuote>";
+            </f:else>
+        </f:if>
+    </f:for>
+    <br />
 
 
-	<f:comment>
-		Content line
-	</f:comment>
-	<f:for each="{mails}" as="mail" iteration="index">
-		<f:for each="{fieldUids}" as="fieldUid">
-			<f:if condition="{vh:condition.isNumber(val:fieldUid)}">
-				<f:then>
-					<f:for each="{mail.answers}" as="answer">
-						<f:if condition="{fieldUid} == {answer.field.uid}">
-							<f:if condition="{vh:condition.isArray(val:answer.value)}">
-								<f:then>
-									"<vh:string.removeQuote>
-									<f:for each="{answer.value}" as="singleValue" iteration="arrayIndex">
-										<f:if condition="{singleValue}">
-											{singleValue}<f:if condition="{arrayIndex.isLast}"><f:else>,</f:else></f:if>
-										</f:if>
-									</f:for>
-								</vh:string.removeQuote>";
-								</f:then>
-								<f:else>
-									"<vh:string.removeQuote>{answer.value}</vh:string.removeQuote>";
-								</f:else>
-							</f:if>
-						</f:if>
-					</f:for>
-				</f:then>
-				<f:else>
-					<f:if condition="{vh:condition.isDateTimeVariableInVariable(obj:mail, prop:fieldUid)}">
-						<f:then>
-							<f:if condition="{0: fieldUid} == {0: 'crdate'}">
-								<f:then>
-									"<vh:string.removeQuote><f:format.date format="d.m.Y H:i:s"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date>
-									<f:translate key="Clock" /></vh:string.removeQuote>";
-								</f:then>
-								<f:else>
+    <f:comment>
+        Content line
+    </f:comment>
+    <f:for each="{mails}" as="mail" iteration="index">
+        <f:for each="{fieldUids}" as="fieldUid">
+            <f:if condition="{vh:condition.isNumber(val:fieldUid)}">
+                <f:then>
+                    <f:for each="{mail.answers}" as="answer">
+                        <f:if condition="{fieldUid} == {answer.field.uid}">
+                            <f:if condition="{vh:condition.isArray(val:answer.value)}">
+                                <f:then>
+                                    "<vh:string.removeQuote>
+                                        <vh:string.sanitizeCsvCell>
+                                            <f:for each="{answer.value}" as="singleValue" iteration="arrayIndex">
+                                                <f:if condition="{singleValue}">
+                                                    {singleValue}<f:if condition="{arrayIndex.isLast}"><f:else>,</f:else></f:if>
+                                                </f:if>
+                                            </f:for>
+                                        </vh:string.sanitizeCsvCell>
+                                    </vh:string.removeQuote>";
+                                </f:then>
+                                <f:else>
+                                    "<vh:string.removeQuote><vh:string.sanitizeCsvCell>{answer.value}</vh:string.sanitizeCsvCell></vh:string.removeQuote>";
+                                </f:else>
+                            </f:if>
+                        </f:if>
+                    </f:for>
+                </f:then>
+                <f:else>
+                    <f:if condition="{vh:condition.isDateTimeVariableInVariable(obj:mail, prop:fieldUid)}">
+                        <f:then>
+                            <f:if condition="{0: fieldUid} == {0: 'crdate'}">
+                                <f:then>
+                                    "<vh:string.removeQuote><f:format.date format="d.m.Y H:i:s"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date>
+                                    <f:translate key="Clock" /></vh:string.removeQuote>";
+                                </f:then>
+                                <f:else>
+                                    <f:if condition="{0: fieldUid} == {0: 'time'}">
+                                        <f:then>
+                                            "<vh:string.removeQuote><f:format.date format="%M:%S"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date></vh:string.removeQuote>";
+                                        </f:then>
+                                        <f:else>
+                                            "<vh:string.removeQuote><f:format.date format="H:i:s"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date></vh:string.removeQuote>";
+                                        </f:else>
+                                    </f:if>
+                                </f:else>
+                            </f:if>
+                        </f:then>
+                        <f:else>
+                            <f:if condition="{0: fieldUid} == {0: 'marketing_page_funnel'}">
+                                <f:then>
+                                    <f:if condition="{vh:condition.isArray(val: '{vh:misc.variableInVariable(obj:mail, prop:fieldUid)}')}">
+                                        "<f:for each="{vh:misc.variableInVariable(obj:mail, prop:fieldUid)}" as="pid" iteration="pageIndex"><vh:getter.getPageNameFromUid uid="{pid}" /><f:if condition="{pageIndex.isLast}"><f:else> > </f:else></f:if></f:for>"
+                                    </f:if>
+                                </f:then>
+                                <f:else>
+                                    "<vh:string.removeQuote><vh:string.sanitizeCsvCell><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></vh:string.sanitizeCsvCell></vh:string.removeQuote>";
+                                </f:else>
+                            </f:if>
+                        </f:else>
+                    </f:if>
+                </f:else>
+            </f:if>
+        </f:for>
 
-									<f:if condition="{0: fieldUid} == {0: 'time'}">
-										<f:then>
-											"<vh:string.removeQuote><f:format.date format="%M:%S"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date></vh:string.removeQuote>";
-										</f:then>
-										<f:else>
-											"<vh:string.removeQuote><f:format.date format="H:i:s"><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></f:format.date></vh:string.removeQuote>";
-										</f:else>
-									</f:if>
-								</f:else>
-							</f:if>
-						</f:then>
-						<f:else>
-							<f:if condition="{0: fieldUid} == {0: 'marketing_page_funnel'}">
-								<f:then>
-									<f:if condition="{vh:condition.isArray(val: '{vh:misc.variableInVariable(obj:mail, prop:fieldUid)}')}">
-										"<f:for each="{vh:misc.variableInVariable(obj:mail, prop:fieldUid)}" as="pid" iteration="pageIndex"><vh:getter.getPageNameFromUid uid="{pid}" /><f:if condition="{pageIndex.isLast}"><f:else> > </f:else></f:if></f:for>"
-									</f:if>
-								</f:then>
-								<f:else>
-									"<vh:string.removeQuote><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></vh:string.removeQuote>";
-								</f:else>
-							</f:if>
-						</f:else>
-					</f:if>
-				</f:else>
-			</f:if>
-		</f:for>
-
-		<br />
-	</f:for>
+        <br />
+    </f:for>
 
 </vh:string.trim></vh:string.utf8ToUtf16></f:section>
diff --git a/Resources/Private/Templates/Module/ExportXls.html b/Resources/Private/Templates/Module/ExportXls.html
@@ -40,12 +40,12 @@
 												<f:then>
 													<f:for each="{answer.value}" as="singleValue" iteration="arrayIndex">
 														<f:if condition="{singleValue}">
-															{singleValue}<f:if condition="{arrayIndex.isLast}"><f:else>,</f:else></f:if>
+                                                            <vh:string.sanitizeCsvCell>{singleValue}</vh:string.sanitizeCsvCell><f:if condition="{arrayIndex.isLast}"><f:else>,</f:else></f:if>
 														</f:if>
 													</f:for>
 												</f:then>
 												<f:else>
-													{answer.value}
+                                                    <vh:string.sanitizeCsvCell>{answer.value}</vh:string.sanitizeCsvCell>
 												</f:else>
 											</f:if>
 										</f:if>
@@ -81,7 +81,7 @@
 													</f:if>
 												</f:then>
 												<f:else>
-													<vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" />
+                                                    <vh:string.sanitizeCsvCell><vh:misc.variableInVariable obj="{mail}" prop="{fieldUid}" /></vh:string.sanitizeCsvCell>
 												</f:else>
 											</f:if>
 										</f:else>
