TZ environment variable

Kevin Kenny kennykb at
Mon May 9 15:32:51 UTC 2005

olsona at said:
> If the TZ environment variable needs to be checked for mischief-making
> time zone abbreviations, the same check needs to be applied to values
> derived from time zone files (since, at least on some systems, users
> can create arbitrary files and arrange for them to be used with an
> appropriate TZ setting.)

I always personally considered *that* a bit of a security bug.  In
the Tcl implementation, I restricted named timezones to combinations
of alphanumerics, slashes and underscores, without a leading slash;
in this way, paths from the root or from '..' couldn't be constructed.
It's arguable that it's a feature rather than a bug, but I decided to
err on the side of caution, since a programmer can augment the
search path for the files if desired.
73 de ke9tv/2, Kevin KENNY   GE Corporate Research & Development
kennykb at           P. O. Box 8, Bldg. K-1, Rm. 5B36A
                             Schenectady, New York 12301-0008 USA

More information about the tz mailing list