英文:
How to prevent csv injection in django application
问题
我有一个带有文件上传功能的Django应用程序。我正在使用Clamav来扫描文件以检查病毒。我还想在我的应用程序中防止CSV注入。我找到了这个与之相关的stackoverflow链接,但没有帮助。请建议如何在我的Django应用程序中使用ClamAV防止CSV注入。
英文:
I am having a Django application with file upload feature. I am using Clamav to scan the file for viruses. I want to prevent CSV injection in my application too. I found this stackoverflow link related to it, but is of no help. Please suggest how to prevent CSV injection in my Django application with ClamAV.
答案1
得分: 2
请看CSV注入的定义(此链接可在您的SO链接中找到)
https://www.owasp.org/index.php/CSV_Injection
简而言之:
> 当电子表格程序如Microsoft Excel或LibreOffice Calc用于打开CSV时,以'='开头的任何单元格将被软件解释为公式。恶意制作的公式可用于三个关键攻击:
您可以通过以下方式防止此攻击:
> 此攻击难以缓解,而且在许多漏洞赏金计划中明确禁止。要纠正它,请确保没有单元格以以下任何字符开头:
>
> 等于号(“=”)
> 加号(“+”)
> 减号(“-”)
> 圈a(“@”)
我不知道如何在ClamAV中执行此操作,因为我不使用它,但您可以编写一个小的Python函数来读取文件并确保没有单元格以上述任何字符开头。
英文:
Look at the definition of CSV Injection (this link can be found in your SO link)
https://www.owasp.org/index.php/CSV_Injection
in short:
> When a spreadsheet program such as Microsoft Excel or LibreOffice Calc
> is used to open a CSV, any cells starting with '=' will be interpreted
> by the software as a formula. Maliciously crafted formulas can be used
> for three key attacks:
You can prevent this attack by:
> This attack is difficult to mitigate, and explicitly disallowed from
> quite a few bug bounty programs. To remediate it, ensure that no cells
> begin with any of the following characters:
>
> Equals to ("=")
> Plus ("+")
> Minus ("-")
> At ("@")
I don't know how to do this with ClamAV as I don't use it,
but you could write a small python function reading the file and ensuring that no cell starts with any of above characters.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论