TZ environment variable
Kevin Kenny
kennykb at crd.ge.com
Mon May 9 15:32:51 UTC 2005
olsona at dc37a.nci.nih.gov said:
> If the TZ environment variable needs to be checked for mischief-making
> time zone abbreviations, the same check needs to be applied to values
> derived from time zone files (since, at least on some systems, users
> can create arbitrary files and arrange for them to be used with an
> appropriate TZ setting.)
I always personally considered *that* a bit of a security bug. In
the Tcl implementation, I restricted named timezones to combinations
of alphanumerics, slashes and underscores, without a leading slash;
in this way, paths from the root or from '..' couldn't be constructed.
It's arguable that it's a feature rather than a bug, but I decided to
err on the side of caution, since a programmer can augment the
search path for the files if desired.
--
73 de ke9tv/2, Kevin KENNY GE Corporate Research & Development
kennykb at crd.ge.com P. O. Box 8, Bldg. K-1, Rm. 5B36A
Schenectady, New York 12301-0008 USA
More information about the tz
mailing list