[SECURITY] Use defusedcsv for exports

2025-12-05 21:32:28 +00:00 · 2017-08-07 13:39:25 +02:00
parent bab092f04b
commit a2c1413036
5 changed files with 6 additions and 4 deletions
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -1,9 +1,9 @@
-import csv
 import io
 from collections import OrderedDict
 from decimal import Decimal

 import pytz
+from defusedcsv import csv
 from django import forms
 from django.db.models import Sum
 from django.dispatch import receiver
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -1,6 +1,6 @@
-import csv
 import io

+from defusedcsv import csv
 from django.conf import settings
 from django.contrib import messages
 from django.core.urlresolvers import resolve, reverse
--- a/src/pretix/plugins/checkinlists/exporters.py
+++ b/src/pretix/plugins/checkinlists/exporters.py
@@ -1,7 +1,7 @@
-import csv
 import io
 from collections import OrderedDict

+from defusedcsv import csv
 from django import forms
 from django.db.models.functions import Coalesce
 from django.utils.translation import (
--- a/src/requirements/production.txt
+++ b/src/requirements/production.txt
@@ -43,3 +43,4 @@ vobject==0.9.*
 pycountry
 django-countries
 pyuca  # for better sorting of country names in django-countries
+defusedcsv>=1.0.1
--- a/src/setup.py
+++ b/src/setup.py
@@ -104,7 +104,8 @@ setup(
        'vobject==0.9.*',
        'pycountry',
        'django-countries',
-        'pyuca'
+        'pyuca',
+        'defusedcsv'
    ],
    extras_require={
        'dev': [