`getTimeZone` appends and resolves relatives paths in the tz database. This allows for things like:
getTimeZone("Europe/../../../../../../../etc/passwd")
This fails with "Not a valid tzdata file.", which I consider unexpected behaviour and, thus, a bug.
Generally, I would expect `getTimeZone` to never escape `/usr/share/zoneinfo/`.
If this is the intended behaviour, I am okay with this bug being closed.
Tested on:
[nico@sagittarius ~]$ uname -apKU
FreeBSD sagittarius.herrhotzenplotz.geek 13.0-CURRENT FreeBSD 13.0-CURRENT #7 r367705: Sun Nov 15 13:12:43 CET 2020 [email protected]:/usr/obj/usr/src/amd64.amd64/sys/SAGITTARIUS amd64 amd64 1300129 1300129
[nico@sagittarius ~]$ ldc2 --version
LDC - the LLVM D compiler (1.23.0):
based on DMD v2.093.1 and LLVM 10.0.1
built with LDC - the LLVM D compiler (0.17.6)
Default target: x86_64-portbld-freebsd13.0
Host CPU: skylake
http://dlang.org - http://wiki.dlang.org/LDC
...
Comment #1 by bugzilla — 2021-05-02T19:39:13Z
In my opinion, the problem is, that the first parameter of getTimeZone is the name of the zone, not a path. But it is just appended (without check) to the second parameter which is a path (and has a default).
I think, it would be ok, if someone wrote
getTimeZone("Europe", "/etc/passwd")
and thus escaping the "/usr/share/zoneinfo/". It's not the task of a library to prevent such things, because it might be, that someone intentionally put its timezone data at that place. In this case it's the responsibility of the OS, the programmer (and the user if not identical to the programmer) to make sure, that this does not lead to any harm.
Anyway, the name should be checked for correct syntax, so I leave this open.
Comment #2 by robert.schadek — 2024-12-01T16:38:00Z