[Bug] std.datetime.timezone.PosixTimeZone.getTimeZone allows for path traversal

[dlangBugzillaToGithub]

nsonack reported this on 2020-11-20T14:49:09Z

Transfered from https://issues.dlang.org/show_bug.cgi?id=21409

CC List

• bugzilla (WalterBright)

Description

`getTimeZone` appends and resolves relatives paths in the tz database. This allows for things like:

getTimeZone("Europe/../../../../../../../etc/passwd")

This fails with "Not a valid tzdata file.", which I consider unexpected behaviour and, thus, a bug.

Generally, I would expect `getTimeZone` to never escape `/usr/share/zoneinfo/`.

If this is the intended behaviour, I am okay with this bug being closed.

Tested on:

[nico@sagittarius ~]$ uname -apKU
FreeBSD sagittarius.herrhotzenplotz.geek 13.0-CURRENT FreeBSD 13.0-CURRENT #7 r367705: Sun Nov 15 13:12:43 CET 2020     nico@sagittarius.herrhotzenplotz.geek:/usr/obj/usr/src/amd64.amd64/sys/SAGITTARIUS  amd64 amd64 1300129 1300129
[nico@sagittarius ~]$ ldc2 --version
LDC - the LLVM D compiler (1.23.0):
  based on DMD v2.093.1 and LLVM 10.0.1
  built with LDC - the LLVM D compiler (0.17.6)
  Default target: x86_64-portbld-freebsd13.0
  Host CPU: skylake
  http://dlang.org - http://wiki.dlang.org/LDC
...

[dlangBugzillaToGithub]

bugzilla commented on 2021-05-02T19:39:13Z

In my opinion, the problem is, that the first parameter of getTimeZone is the name of the zone, not a path. But it is just appended (without check) to the second parameter which is a path (and has a default).

I think, it would be ok, if someone wrote

getTimeZone("Europe", "/etc/passwd")

and thus escaping the "/usr/share/zoneinfo/". It's not the task of a library to prevent such things, because it might be, that someone intentionally put its timezone data at that place. In this case it's the responsibility of the OS, the programmer (and the user if not identical to the programmer) to make sure, that this does not lead to any harm.

Anyway, the name should be checked for correct syntax, so I leave this open.