The really infuriating thing about this report is the message these terrible applications give to users. "Links to other files?" And the inquiry about whether those "links" should be "updated?" That's a ridiculous, terrible, message to express "remote code execution." Just as bad is "automatic update of links."<p>The hell? If I were reading this (as a sophisticated user who isn't a security expert), I'd just assume there was some kind of weird document embedding thing going on. Not that "link to other file" meant "RUN ARBITRARY APPLICATIONS AND PROBABLY EXECUTE ARBITRARY CODE."<p>Even the warning about "To access this data Excel needs to start another application" is incredibly deceptive. The data in a CSV is perfectly damn accessible without Excel opening anything else. It ought to say "to execute the commands embedded in this data, Excel needs to start another application," so that people bloody well know that they're not just <i>viewing data</i> but they're actually <i>doing something.</i><p>Horrible, horrible, horrible communication.
re: "Spreadsheet software could take steps to mitigate some of these attacks, but preventing formula injection is ultimately the responsibility of every application that generates spreadsheets containing user-supplied content."<p>Whoah, that's putting the blame in the wrong place. Spreadsheets shouldn't look for formulas at all in plain csv files. That's not what they're for.
I've found that spreadsheet software, notably Excel, tends to be "over-helpful" in trying to determine the format of the data it's reading in, no doubt in an attempt to help the less-knowledgeable user; anyone who has ever had it mangle imported data by e.g. guessing that "02-04" should somehow be a date will be familiar with this.<p>It should not be surprising then, that this type of guessing behaviour could lead to exploitable vulnerabilities.
All these features (like DDE) should be disabled by default, and should only be possible to be enabled by means of an obscure and hidden menu item that nobody can find.
Was just reading a vulnerability disclosure of an example of this at Hackerone last night (for Hackerone).<p><a href="https://hackerone.com/reports/72785" rel="nofollow">https://hackerone.com/reports/72785</a><p>They cited this link in their report.
You mean to say that, whenever I load a CSV file into LibreOffice, anything that looks like code gets executed? Excuse me one moment while I patch that program with rm -rf.<p>Thank goodness that A. W. and K. got this right 35 years ago, interpreting data inputs as numbers and strings. Pity about the regression.
Just implemented a CSV importer/exporter for a big release and this document came in super helpful.<p>Are there any CSV exploits that can't be solved by just prefixing fields that start with "=", "+", "-", and "@" with an apostrophe?
Old as me, this stuff is. Little consideration, security was for windows programmers when DDE was made. Exploits leveraging stuff from Windows 3.1, I see often.