[Issue 21409] [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone allows for path traversal
d-bugmail at puremagic.com
d-bugmail at puremagic.com
Sun May 2 19:39:13 UTC 2021
https://issues.dlang.org/show_bug.cgi?id=21409
Berni44 <bugzilla at bernis-buecher.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugzilla at bernis-buecher.de
--- Comment #1 from Berni44 <bugzilla at bernis-buecher.de> ---
In my opinion, the problem is, that the first parameter of getTimeZone is the
name of the zone, not a path. But it is just appended (without check) to the
second parameter which is a path (and has a default).
I think, it would be ok, if someone wrote
getTimeZone("Europe", "/etc/passwd")
and thus escaping the "/usr/share/zoneinfo/". It's not the task of a library to
prevent such things, because it might be, that someone intentionally put its
timezone data at that place. In this case it's the responsibility of the OS,
the programmer (and the user if not identical to the programmer) to make sure,
that this does not lead to any harm.
Anyway, the name should be checked for correct syntax, so I leave this open.
--
More information about the Digitalmars-d-bugs
mailing list