Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit b98c32e

Browse filesBrowse files
philrphilr
committed
Merge branch 'fix-directory-traversal-1.2' into 1.2
2 parents 394c381 + ac3ee68 commit b98c32e
Copy full SHA for b98c32e

File tree

Expand file treeCollapse file tree

5 files changed

+11
-4
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

5 files changed

+11
-4
lines changed
Open diff view settings
Collapse file

‎lib/tzinfo/ruby_data_source.rb‎

Copy file name to clipboardExpand all lines: lib/tzinfo/ruby_data_source.rb
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ def initialize
3838
# Raises InvalidTimezoneIdentifier if the timezone is not found or the
3939
# identifier is invalid.
4040
def load_timezone_info(identifier)
41-
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
41+
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
4242

4343
identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
4444

Collapse file

‎test/assets/payload.rb‎

Copy file name to clipboard
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
raise 'This should never be executed'
Collapse file

‎test/tc_ruby_data_source.rb‎

Copy file name to clipboardExpand all lines: test/tc_ruby_data_source.rb
+7-1Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,15 @@ def test_load_timezone_info_does_not_exist
4848

4949
def test_load_timezone_info_invalid
5050
assert_raises(InvalidTimezoneIdentifier) do
51-
@data_source.load_timezone_info('../Definitions/UTC')
51+
@data_source.load_timezone_info('../definitions/UTC')
5252
end
5353
end
54+
55+
def test_load_timezone_info_directory_traversal
56+
test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
57+
payload_path = File.join(TESTS_DIR, 'assets', 'payload')
58+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
59+
end
5460

5561
def test_load_timezone_info_nil
5662
assert_raises(InvalidTimezoneIdentifier) do
Collapse file

‎test/tc_timezone.rb‎

Copy file name to clipboardExpand all lines: test/tc_timezone.rb
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,7 @@ def test_get_not_exist
213213
end
214214

215215
def test_get_invalid
216-
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
216+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
217217
end
218218

219219
def test_get_nil
Collapse file

‎test/tc_zoneinfo_data_source.rb‎

Copy file name to clipboardExpand all lines: test/tc_zoneinfo_data_source.rb
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -374,7 +374,7 @@ def test_load_timezone_info_does_not_exist
374374

375375
def test_load_timezone_info_invalid
376376
assert_raises(InvalidTimezoneIdentifier) do
377-
@data_source.load_timezone_info('../Definitions/Europe/London')
377+
@data_source.load_timezone_info('../zoneinfo/Europe/London')
378378
end
379379
end
380380

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.