[Issue 21409] New: [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone allows for path traversal
d-bugmail at puremagic.com
d-bugmail at puremagic.com
Fri Nov 20 14:49:09 UTC 2020
https://issues.dlang.org/show_bug.cgi?id=21409
Issue ID: 21409
Summary: [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone
allows for path traversal
Product: D
Version: D2
Hardware: x86_64
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P1
Component: phobos
Assignee: nobody at puremagic.com
Reporter: nsonack at outlook.com
`getTimeZone` appends and resolves relatives paths in the tz database. This
allows for things like:
getTimeZone("Europe/../../../../../../../etc/passwd")
This fails with "Not a valid tzdata file.", which I consider unexpected
behaviour and, thus, a bug.
Generally, I would expect `getTimeZone` to never escape `/usr/share/zoneinfo/`.
If this is the intended behaviour, I am okay with this bug being closed.
Tested on:
[nico at sagittarius ~]$ uname -apKU
FreeBSD sagittarius.herrhotzenplotz.geek 13.0-CURRENT FreeBSD 13.0-CURRENT #7
r367705: Sun Nov 15 13:12:43 CET 2020
nico at sagittarius.herrhotzenplotz.geek:/usr/obj/usr/src/amd64.amd64/sys/SAGITTARIUS
amd64 amd64 1300129 1300129
[nico at sagittarius ~]$ ldc2 --version
LDC - the LLVM D compiler (1.23.0):
based on DMD v2.093.1 and LLVM 10.0.1
built with LDC - the LLVM D compiler (0.17.6)
Default target: x86_64-portbld-freebsd13.0
Host CPU: skylake
http://dlang.org - http://wiki.dlang.org/LDC
...
--
More information about the Digitalmars-d-bugs
mailing list