Any update on this ?

Any progress on this ?

Sorry for the delay in responding. I confirm the problem.

I am however not sure about what the best way to fix this is.

It is easy enough when exporting data to prefix any text starting with =, @, - or + with a ', which will effectively disable the interpretation of a formula when the generated CSV is opened with Excel.

The problem is if the CSV needs to be consumed programmatically, then the added ' will "corrupt" the data. And MantisBT has no way to know how the exported file will be used.

CVE request 1166047 sent.

Base of proposed fix:

diff --git a/core/csv_api.php b/core/csv_api.php
index 795f9dc9b..0149e37b5 100644
--- a/core/csv_api.php
+++ b/core/csv_api.php
@@ -111,6 +111,13 @@ function csv_get_default_filename() {
  * @access public
  */
 function csv_escape_string( $p_string ) {
+   # Prevent CSV injection by escaping text that could be interpreted as a formula
+   if( $p_string && strpos( '=-+@', $p_string[0] ) !== false ) {
+       # Prefixing with a tab rather than single quote, as Excel does not show
+       # the tab visually in the cell.
+       $p_string = "\t" . $p_string;
+   }
+
        $t_escaped = str_split( '"' . csv_get_separator() . csv_get_newline() );
        $t_must_escape = false;
        while( ( $t_char = current( $t_escaped ) ) !== false && !$t_must_escape ) {

I'm considering adding a config option, to let users decide whether they want to prefix formulas to avoid CSV injection or not.

CVE-2021-43257 assigned.

@Devendra Bhatla any feedback ?

Hi @dregad

Thanks for the heads up.
The fix seems fine to me. I request you to deploy the fix in the upcoming version of the product.

Also, thanks for assigning a CVE-ID for the same, it can be observed that the CVE-ID is marked as RESERVED. I would like to request you to make this publicly once the fix/patch is deployed.

Thanks and regards
Devendra Bhatla

I request you to deploy the fix in the upcoming version of the product

Yes this is the plan, as you can see I have set target version to 2.25.3.

it can be observed that the CVE-ID is marked as RESERVED.

Indeed. This is normal, as CVE-ID publication is delayed until the patch is out.
https://cve.mitre.org/about/faqs.html#reserved_signify_in_cve_record

I would like to request you to make this publicly once the fix/patch is deployed.

Of course, once 2.25.3 gets released, I'll notify MITRE and the CVE-ID will become public.

Great. Would you please let me know by when i can expect the version 2.25.3 in order to validate the closure of the reported issue.

Thanks and regards
Devendra Bhatla

Soon, but I can't commit on a date - depends on my (lack of) spare time.

Hi @dregad,
Hope you are doing good amid pandemic.
It would be great if you can share some progress.
Thanks

Sorry this is not forgotten, but I unfortunately do not have time to spend on Mantis at the moment.

Sorry that was resolved by mistake, due to inadvertantly pushing a work-in-progress branch.

@Devendra Bhatla apologies for taking so long to merge this, many thanks for your report and your patience.

I will ask MITRE to release the CVE.