Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9905ca9

Browse files
kratobphilr
authored andcommitted
Fix directory traversal in Timezone.get when using Ruby data source
1 parent07b5941 commit9905ca9

File tree

4 files changed

+9
-2
lines changed

4 files changed

+9
-2
lines changed

‎lib/tzinfo/ruby_data_source.rb‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ def initialize
3838
# Raises InvalidTimezoneIdentifier if the timezone is not found or the
3939
# identifier is invalid.
4040
defload_timezone_info(identifier)
41-
raiseInvalidTimezoneIdentifier,'Invalid identifier'ifidentifier !~/^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
41+
raiseInvalidTimezoneIdentifier,'Invalid identifier'ifidentifier !~/\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/
4242

4343
identifier=identifier.gsub(/-/,'__m__').gsub(/\+/,'__p__')
4444

‎test/assets/payload.rb‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
raise'This should never be executed'

‎test/tc_ruby_data_source.rb‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,12 @@ def test_load_timezone_info_invalid
5151
@data_source.load_timezone_info('../Definitions/UTC')
5252
end
5353
end
54+
55+
deftest_load_timezone_info_directory_traversal
56+
test_data_depth=TZINFO_TEST_DATA_DIR.scan('/').size
57+
payload_path=File.join(TESTS_DIR,'assets','payload')
58+
assert_raises(InvalidTimezoneIdentifier){Timezone.get("foo\n#{'/..' *(test_data_depth +4)}#{payload_path}")}
59+
end
5460

5561
deftest_load_timezone_info_nil
5662
assert_raises(InvalidTimezoneIdentifier)do

‎test/tc_timezone.rb‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,7 @@ def test_get_not_exist
213213
end
214214

215215
deftest_get_invalid
216-
assert_raises(InvalidTimezoneIdentifier){Timezone.get('../Definitions/UTC')}
216+
assert_raises(InvalidTimezoneIdentifier){Timezone.get('../definitions/UTC')}
217217
end
218218

219219
deftest_get_nil

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp