Merge pull request #56031 from nextcloud/backport/55989/stable31

[stable31] fix(profiler): Harden profiler writes

Author: nickvergessen

lib/private/Profiler/FileProfilerStorage.php

@@ -48,15 +48,17 @@ public function find(?string $url, ?int $limit, ?string $method, ?int $start = n
 			[$csvToken, $csvMethod, $csvUrl, $csvTime, $csvParent, $csvStatusCode] = $values;
 			$csvTime = (int)$csvTime;
 
-			if ($url && !str_contains($csvUrl, $url) || $method && !str_contains($csvMethod, $method) || $statusCode && !str_contains($csvStatusCode, $statusCode)) {
+			if (($url && !str_contains($csvUrl, $url))
+				|| ($method && !str_contains($csvMethod, $method))
+				|| ($statusCode && !str_contains($csvStatusCode, $statusCode))) {
 				continue;
 			}
 
-			if (!empty($start) && $csvTime < $start) {
+			if ($start !== null && $csvTime < $start) {
 				continue;
 			}
 
-			if (!empty($end) && $csvTime > $end) {
+			if ($end !== null && $csvTime > $end) {
 				continue;
 			}
 
@@ -154,20 +156,27 @@ public function write(IProfile $profile): bool {
 				return false;
 			}
 
-			fputcsv($file, [
+			fputcsv($file, array_map([$this, 'escapeFormulae'], [
 				$profile->getToken(),
 				$profile->getMethod(),
 				$profile->getUrl(),
 				$profile->getTime(),
 				$profile->getParentToken(),
 				$profile->getStatusCode(),
-			]);
+			]), escape: '');
 			fclose($file);
 		}
 
 		return true;
 	}
 
+	protected function escapeFormulae(?string $value): ?string {
+		if ($value !== null && preg_match('/^[=+\-@\t\r]/', $value)) {
+			return "'" . $value;
+		}
+		return $value;
+	}
+
 	/**
 	 * Gets filename to store data, associated to the token.
 	 *