Skip to content

Commit b98c32e

Browse files
philrphilr
committed
Merge branch 'fix-directory-traversal-1.2' into 1.2
2 parents 394c381 + ac3ee68 commit b98c32e

File tree

5 files changed

+11
-4
lines changed

5 files changed

+11
-4
lines changed

lib/tzinfo/ruby_data_source.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ def initialize
3838
# Raises InvalidTimezoneIdentifier if the timezone is not found or the
3939
# identifier is invalid.
4040
def load_timezone_info(identifier)
41-
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
41+
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
4242

4343
identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
4444

test/assets/payload.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
raise 'This should never be executed'

test/tc_ruby_data_source.rb

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,15 @@ def test_load_timezone_info_does_not_exist
4848

4949
def test_load_timezone_info_invalid
5050
assert_raises(InvalidTimezoneIdentifier) do
51-
@data_source.load_timezone_info('../Definitions/UTC')
51+
@data_source.load_timezone_info('../definitions/UTC')
5252
end
5353
end
54+
55+
def test_load_timezone_info_directory_traversal
56+
test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
57+
payload_path = File.join(TESTS_DIR, 'assets', 'payload')
58+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
59+
end
5460

5561
def test_load_timezone_info_nil
5662
assert_raises(InvalidTimezoneIdentifier) do

test/tc_timezone.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,7 @@ def test_get_not_exist
213213
end
214214

215215
def test_get_invalid
216-
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
216+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
217217
end
218218

219219
def test_get_nil

test/tc_zoneinfo_data_source.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -374,7 +374,7 @@ def test_load_timezone_info_does_not_exist
374374

375375
def test_load_timezone_info_invalid
376376
assert_raises(InvalidTimezoneIdentifier) do
377-
@data_source.load_timezone_info('../Definitions/Europe/London')
377+
@data_source.load_timezone_info('../zoneinfo/Europe/London')
378378
end
379379
end
380380

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy