TZ environment variable

Garrett Wollman wollman at csail.mit.edu
Mon May 9 20:05:49 UTC 2005


<<On Mon, 09 May 2005 12:23:24 -0700, Paul Eggert <eggert at CS.UCLA.EDU> said:

> "Olson, Arthur David (NIH/NCI)" <olsona at dc37a.nci.nih.gov> writes:
>> If the TZ environment variable needs to be checked for mischief-making time
>> zone abbreviations, the same check needs to be applied to values derived
>> from time zone files

> Yes, quite right.  Presumably the same check should be applied to each.

My argument that the correct way to handle this would be to expect
security-sensitive applications to do:

	unsetenv("TZ");
	tzset();

...which they ought to do anyway.  A slight improvement, for those
systems which implement issetugid(), would be for the library routines
to ignore the setting of TZ if this returns true.

-GAWollman




More information about the tz mailing list