[Issue 21409] [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone allows for path traversal

May 02, 2021

Berni44

Dec 17, 2022

Iain Buclaw

Dec 01

dlangBugzillaToGithub

May 02, 2021

[Issue 21409] [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone allows for path traversal

Posted by Berni44

Permalink

Berni44

Permalink

https://issues.dlang.org/show_bug.cgi?id=21409

Berni44 <bugzilla@bernis-buecher.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla@bernis-buecher.de

--- Comment #1 from Berni44 <bugzilla@bernis-buecher.de> ---
In my opinion, the problem is, that the first parameter of getTimeZone is the name of the zone, not a path. But it is just appended (without check) to the second parameter which is a path (and has a default).

I think, it would be ok, if someone wrote

getTimeZone("Europe", "/etc/passwd")

and thus escaping the "/usr/share/zoneinfo/". It's not the task of a library to prevent such things, because it might be, that someone intentionally put its timezone data at that place. In this case it's the responsibility of the OS, the programmer (and the user if not identical to the programmer) to make sure, that this does not lead to any harm.

Anyway, the name should be checked for correct syntax, so I leave this open.

--

https://issues.dlang.org/show_bug.cgi?id=21409 Iain Buclaw <ibuclaw@gdcproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P1 |P3 --

https://issues.dlang.org/show_bug.cgi?id=21409 --- Comment #2 from dlangBugzillaToGithub <robert.schadek@posteo.de> --- THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/phobos/issues/10447 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB --

Forums