Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix directory traversal in Timezone.get
  • Loading branch information
kratob authored and philr committed Jul 16, 2022
1 parent f4f3c2e commit 9eddbb5
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/tzinfo/timezone.rb
Expand Up @@ -101,7 +101,7 @@ def self.default_dst
def self.get(identifier)
instance = @@loaded_zones[identifier]
unless instance
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/
identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
begin
# Use a temporary variable to avoid an rdoc warning
Expand Down
1 change: 1 addition & 0 deletions test/in_load_path/payload.rb
@@ -0,0 +1 @@
raise 'This should never be executed'
7 changes: 6 additions & 1 deletion test/tc_timezone.rb
@@ -1,4 +1,5 @@
$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
$:.unshift File.join(File.dirname(__FILE__), "in_load_path")
require 'test/unit'
require File.join(File.dirname(__FILE__), 'test_utils')
require 'tzinfo'
Expand Down Expand Up @@ -97,7 +98,11 @@ def test_get_not_exist
end

def test_get_invalid
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
end

def test_get_directory_traversal
assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n/../../../payload") }
end

def test_get_nil
Expand Down

0 comments on commit 9eddbb5

Please sign in to comment.