Commit 7f19e632bd3dd78331e0eb3d0201a0a589c2c67a
Committed by
GitHub
GitHub
Merge pull request #275 from christian-intra2net/csv-formula-extension
Csv formula extension
Showing
2 changed files
with
13 additions
and
1 deletions
oletools/msodde.py
| ... | ... | @@ -833,7 +833,8 @@ def process_rtf(file_handle, field_filter_mode=None): |
| 833 | 833 | CSV_SMALL_THRESH = 1024 |
| 834 | 834 | |
| 835 | 835 | # format of dde link: program-name | arguments ! unimportant |
| 836 | -CSV_DDE_FORMAT = re.compile(r'\s*=(.+)\|(.+)!(.*)\s*') | |
| 836 | +# can be enclosed in "", prefixed with + or = or - or cmds like @SUM(...) | |
| 837 | +CSV_DDE_FORMAT = re.compile(r'\s*"?[=+-@](.+)\|(.+)!(.*)\s*') | |
| 837 | 838 | |
| 838 | 839 | # allowed delimiters (python sniffer would use nearly any char). Taken from |
| 839 | 840 | # https://data-gov.tw.rpi.edu/wiki/CSV_files_use_delimiters_other_than_commas | ... | ... |
tests/msodde/test_csv.py
| ... | ... | @@ -131,6 +131,17 @@ class TestCSV(unittest.TestCase): |
| 131 | 131 | self.assertTrue(have_start_line) # ensure output was complete |
| 132 | 132 | return result |
| 133 | 133 | |
| 134 | + def test_regex(self): | |
| 135 | + """ check that regex captures other ways to include dde commands | |
| 136 | + | |
| 137 | + from http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/ and/or | |
| 138 | + https://www.contextis.com/blog/comma-separated-vulnerabilities | |
| 139 | + """ | |
| 140 | + kernel = "cmd|'/c calc'!A0" | |
| 141 | + for wrap in '={0}', '@SUM({0})', '"={0}"', '+{0}', '-{0}': | |
| 142 | + cmd = wrap.format(kernel) | |
| 143 | + self.assertNotEqual(msodde.CSV_DDE_FORMAT.match(cmd), None) | |
| 144 | + | |
| 134 | 145 | |
| 135 | 146 | # just in case somebody calls this file as a script |
| 136 | 147 | if __name__ == '__main__': | ... | ... |