[bugzilla-gnome-org-upstream/4.4] Bug 1259881 - CSV export vulnerable to formulae injection (again) r=sgreen a=dkl

[Andrea Veri <av src gnome org>]

commit 36253a7195fe34b4989ded4be78c1b62ae5b66fa
Author: Frédéric Buclin <LpSolit gmail com>
Date:   Mon Apr 25 23:39:50 2016 +0200

    Bug 1259881 - CSV export vulnerable to formulae injection (again)
    r=sgreen a=dkl

 Bugzilla/Template.pm |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)
---
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index cfcbc66..b9cbfcc 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -713,12 +713,13 @@ sub create {
             },
 
             # In CSV, quotes are doubled, and any value containing a quote or a
-            # comma is enclosed in quotes. If a field starts with an equals
-            # sign, it is proceed by a space.
+            # comma is enclosed in quotes.
+            # If a field starts with either "=", "+", "-" or "@", it is preceded
+            # by a space to prevent stupid formula execution from Excel & co.
             csv => sub
             {
                 my ($var) = @_;
-                $var = ' ' . $var if substr($var, 0, 1) eq '=';
+                $var = ' ' . $var if $var =~ /^[+= -]/;
                 # backslash is not special to CSV, but it can be used to confuse some browsers...
                 # so we do not allow it to happen. We only do this for logged-in users.
                 $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;