Merge branch 'fix-directory-traversal-0.3' into 0.3

tzinfo · Jul 19, 2022 · 01bcca5 · 01bcca5
2 parents 587af76 + cccfad8
commit 01bcca5
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/lib/tzinfo/timezone.rb b/lib/tzinfo/timezone.rb
@@ -101,7 +101,7 @@ def self.default_dst
     def self.get(identifier)
       instance = @@loaded_zones[identifier]
       unless instance  
-        raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+        raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
         identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
         begin
           # Use a temporary variable to avoid an rdoc warning

diff --git a/test/in_load_path/payload.rb b/test/in_load_path/payload.rb
@@ -0,0 +1 @@
+raise 'This should never be executed'
diff --git a/test/tc_timezone.rb b/test/tc_timezone.rb
@@ -1,4 +1,5 @@
 $:.unshift File.join(File.dirname(__FILE__), "..", "lib")
+$:.unshift File.join(File.dirname(__FILE__), "in_load_path")
 require 'test/unit'
 require File.join(File.dirname(__FILE__), 'test_utils')
 require 'tzinfo'
@@ -97,7 +98,11 @@ def test_get_not_exist
   end
 
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
+  end
+
+  def test_get_directory_traversal
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n/../../../payload") }
   end
 
   def test_get_nil