From cf849946874ad94745b99502d19703a0bdc1c333 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 24 Oct 2025 15:23:20 +0200 Subject: [PATCH] fix(profiler): Harden profiler writes Signed-off-by: Joas Schilling --- lib/private/Profiler/FileProfilerStorage.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/private/Profiler/FileProfilerStorage.php b/lib/private/Profiler/FileProfilerStorage.php index d0fe6195c50..c690fcd52d1 100644 --- a/lib/private/Profiler/FileProfilerStorage.php +++ b/lib/private/Profiler/FileProfilerStorage.php @@ -48,15 +48,17 @@ class FileProfilerStorage { [$csvToken, $csvMethod, $csvUrl, $csvTime, $csvParent, $csvStatusCode] = $values; $csvTime = (int)$csvTime; - if ($url && !str_contains($csvUrl, $url) || $method && !str_contains($csvMethod, $method) || $statusCode && !str_contains($csvStatusCode, $statusCode)) { + if (($url && !str_contains($csvUrl, $url)) + || ($method && !str_contains($csvMethod, $method)) + || ($statusCode && !str_contains($csvStatusCode, $statusCode))) { continue; } - if (!empty($start) && $csvTime < $start) { + if ($start !== null && $csvTime < $start) { continue; } - if (!empty($end) && $csvTime > $end) { + if ($end !== null && $csvTime > $end) { continue; } @@ -154,20 +156,27 @@ class FileProfilerStorage { return false; } - fputcsv($file, [ + fputcsv($file, array_map([$this, 'escapeFormulae'], [ $profile->getToken(), $profile->getMethod(), $profile->getUrl(), $profile->getTime(), $profile->getParentToken(), $profile->getStatusCode(), - ], escape: ''); + ]), escape: ''); fclose($file); } return true; } + protected function escapeFormulae(?string $value): ?string { + if ($value !== null && preg_match('/^[=+\-@\t\r]/', $value)) { + return "'" . $value; + } + return $value; + } + /** * Gets filename to store data, associated to the token. *