• d-bugmail puremagic.com (36/36) Nov 20 2020 https://issues.dlang.org/show_bug.cgi?id=21409

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=21409

          Issue ID: 21409
           Summary: [Bug] std.datetime.timezone.PosixTimeZone.getTimeZone
                    allows for path traversal
           Product: D
           Version: D2
          Hardware: x86_64
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P1
         Component: phobos
          Assignee: nobody puremagic.com
          Reporter: nsonack outlook.com

`getTimeZone` appends and resolves relatives paths in the tz database. This
allows for things like:

getTimeZone("Europe/../../../../../../../etc/passwd")

This fails with "Not a valid tzdata file.", which I consider unexpected
behaviour and, thus, a bug.

Generally, I would expect `getTimeZone` to never escape `/usr/share/zoneinfo/`.

If this is the intended behaviour, I am okay with this bug being closed.

Tested on:

[nico sagittarius ~]$ uname -apKU

r367705: Sun Nov 15 13:12:43 CET 2020    
nico sagittarius.herrhotzenplotz.geek:/usr/obj/usr/src/amd64.amd64/sys/SAGITTARIUS
 amd64 amd64 1300129 1300129
[nico sagittarius ~]$ ldc2 --version
LDC - the LLVM D compiler (1.23.0):
  based on DMD v2.093.1 and LLVM 10.0.1
  built with LDC - the LLVM D compiler (0.17.6)
  Default target: x86_64-portbld-freebsd13.0
  Host CPU: skylake
  http://dlang.org - http://wiki.dlang.org/LDC
...

--