From a2c1413036f3f1517b2e3c3517ea465f5fc06713 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 7 Aug 2017 13:39:25 +0200
Subject: [PATCH] [SECURITY] Use defusedcsv for exports

---
 src/pretix/base/exporters/orderlist.py       | 2 +-
 src/pretix/control/views/vouchers.py         | 2 +-
 src/pretix/plugins/checkinlists/exporters.py | 2 +-
 src/requirements/production.txt              | 1 +
 src/setup.py                                 | 3 ++-
 5 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/pretix/base/exporters/orderlist.py b/src/pretix/base/exporters/orderlist.py
index 78030765b..b021dc18b 100644
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -1,9 +1,9 @@
-import csv
 import io
 from collections import OrderedDict
 from decimal import Decimal
 
 import pytz
+from defusedcsv import csv
 from django import forms
 from django.db.models import Sum
 from django.dispatch import receiver
diff --git a/src/pretix/control/views/vouchers.py b/src/pretix/control/views/vouchers.py
index 70f088074..5898ad820 100644
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -1,6 +1,6 @@
-import csv
 import io
 
+from defusedcsv import csv
 from django.conf import settings
 from django.contrib import messages
 from django.core.urlresolvers import resolve, reverse
diff --git a/src/pretix/plugins/checkinlists/exporters.py b/src/pretix/plugins/checkinlists/exporters.py
index da99a0b9a..51b70a210 100644
--- a/src/pretix/plugins/checkinlists/exporters.py
+++ b/src/pretix/plugins/checkinlists/exporters.py
@@ -1,7 +1,7 @@
-import csv
 import io
 from collections import OrderedDict
 
+from defusedcsv import csv
 from django import forms
 from django.db.models.functions import Coalesce
 from django.utils.translation import (
diff --git a/src/requirements/production.txt b/src/requirements/production.txt
index 0b936e788..8f9372e68 100644
--- a/src/requirements/production.txt
+++ b/src/requirements/production.txt
@@ -43,3 +43,4 @@ vobject==0.9.*
 pycountry
 django-countries
 pyuca  # for better sorting of country names in django-countries
+defusedcsv>=1.0.1
diff --git a/src/setup.py b/src/setup.py
index 651736501..695b2b986 100644
--- a/src/setup.py
+++ b/src/setup.py
@@ -104,7 +104,8 @@ setup(
         'vobject==0.9.*',
         'pycountry',
         'django-countries',
-        'pyuca'
+        'pyuca',
+        'defusedcsv'
     ],
     extras_require={
         'dev': [