TZ environment variable
Garrett Wollman
wollman at csail.mit.edu
Mon May 9 20:05:49 UTC 2005
<<On Mon, 09 May 2005 12:23:24 -0700, Paul Eggert <eggert at CS.UCLA.EDU> said:
> "Olson, Arthur David (NIH/NCI)" <olsona at dc37a.nci.nih.gov> writes:
>> If the TZ environment variable needs to be checked for mischief-making time
>> zone abbreviations, the same check needs to be applied to values derived
>> from time zone files
> Yes, quite right. Presumably the same check should be applied to each.
My argument that the correct way to handle this would be to expect
security-sensitive applications to do:
unsetenv("TZ");
tzset();
...which they ought to do anyway. A slight improvement, for those
systems which implement issetugid(), would be for the library routines
to ignore the setting of TZ if this returns true.
-GAWollman
More information about the tz
mailing list