tzinfo 1.2.8 → 1.2.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9569ae7387d4f2847ba35f6a1268fbbc9019f9bbef1cc72e70569757320db079
-  data.tar.gz: bb66169c01610b980c35be5c7102d780d07167b785acd6ea5887b89d15eb107d
+  metadata.gz: e6364432a0aef34ccf3b6b1ecad65dd6f7f13843ac503cbcea1f693b74c96b46
+  data.tar.gz: 825fd6905101f51fa700dfa682490851952de8a692c03954d12f38944f8814c8
 SHA512:
-  metadata.gz: d9847f779c051d96c2457d364b18bdc9bc74e9b17ffd8e84106ce9c6562b2634e60f08b81af9fff6ba7c0af3b898ba4483fe8e9fa31b3e004251b203c1bee933
-  data.tar.gz: 8737907d69e81c06650a1f01b1ba45afc83f38a66b44fca093431cfea65208a92f56ada755e9f87724a6b866ecbfed11d1ef09552bbf983ce47c15c90269a322
+  metadata.gz: ef4b1b6a189bbf011294210d2e0651f41bc82e1db8fe342c9f8dbcefd473e8b49b9affa67bc9a395a5831b376db8d37b5942cfade1dacf5485f23ce3d6f78a46
+  data.tar.gz: 2871fbd7aded391c88a74724138073675690710dfca6adbbbe610ec4395e8d6631fad93b22d684650d04d9affeed0ab64a1d7489f766eb9ab1996556329c6ddc

data/CHANGES.md

@@ -1,3 +1,22 @@
+Version 1.2.10 - 19-Jul-2022
+----------------------------
+
+* Fixed a relative path traversal bug that could cause arbitrary files to be
+  loaded with require when used with RubyDataSource. Please refer to
+  https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for
+  details. CVE-2022-31163.
+* Ignore the SECURITY file from Arch Linux's tzdata package. #134.
+
+
+Version 1.2.9 - 16-Dec-2020
+---------------------------
+
+* Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a
+  zoneinfo file that includes rules specifying an additional transition to the
+  final defined offset (for example, Africa/Casablanca in version 2018e of the
+  Time Zone Database). #123.
+
+
 Version 1.2.8 - 8-Nov-2020
 --------------------------
 
@@ -5,7 +24,7 @@ Version 1.2.8 - 8-Nov-2020
   default by zic version 2020b and later. The POSIX-style TZ string is now used
   calculate DST transition times after the final defined transition in the file.
   The 64-bit section is now always used regardless of whether Time has support
-  for 64-bit times.
+  for 64-bit times. #120.
 * Rubinius is no longer supported.
 
 

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2005-2020 Philip Ross
+Copyright (c) 2005-2022 Philip Ross
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of 
 this software and associated documentation files (the "Software"), to deal in 

data/README.md

@@ -1,7 +1,7 @@
 TZInfo - Ruby Timezone Library
 ==============================
 
-[![RubyGems](https://img.shields.io/gem/v/tzinfo)](https://rubygems.org/gems/tzinfo) [![Travis CI Build](https://img.shields.io/travis/com/tzinfo/tzinfo/1.2?logo=travis)](https://travis-ci.com/tzinfo/tzinfo) [![AppVeyor Build](https://img.shields.io/appveyor/build/philr/tzinfo/1.2?logo=appveyor)](https://ci.appveyor.com/project/philr/tzinfo/branch/1.2)
+[![RubyGems](https://img.shields.io/gem/v/tzinfo?logo=rubygems&label=Gem)](https://rubygems.org/gems/tzinfo) [![Tests](https://github.com/tzinfo/tzinfo/workflows/Tests/badge.svg?branch=1.2&event=push)](https://github.com/tzinfo/tzinfo/actions?query=workflow%3ATests+branch%3A1.2+event%3Apush)
 
 [TZInfo](https://tzinfo.github.io) provides daylight savings aware
 transformations between times in different timezones.

data/lib/tzinfo/ruby_data_source.rb

@@ -38,7 +38,7 @@ module TZInfo
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
       
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
       

data/lib/tzinfo/zoneinfo_data_source.rb

@@ -87,6 +87,29 @@ module TZInfo
     # The default value of ZoneinfoDataSource.alternate_iso3166_tab_search_path.
     DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH = ['/usr/share/misc/iso3166.tab', '/usr/share/misc/iso3166'].freeze
     
+    # File and directories in the top level zoneinfo directory that will be
+    # excluded from the list of available time zones:
+    #
+    #   - +VERSION is included on Mac OS X.
+    #   - leapseconds is a list of leap seconds.
+    #   - localtime is the current local timezone (may be a link).
+    #   - posix, posixrules and right are directories containing other versions
+    #     of the zoneinfo files.
+    #   - SECURITY is included in the Arch Linux tzdata package.
+    #   - src is a directory containing the tzdata source included on Solaris.
+    #   - timeconfig is a symlink included on Slackware.
+    EXCLUDED_FILENAMES = [
+      '+VERSION',
+      'leapseconds',
+      'localtime',
+      'posix',
+      'posixrules',
+      'right',
+      'SECURITY',
+      'src',
+      'timeconfig'
+    ].freeze
+
     # Paths to be checked to find the system zoneinfo directory.
     @@search_path = DEFAULT_SEARCH_PATH.dup
     
@@ -352,16 +375,8 @@ module TZInfo
     # identifiers.
     def load_timezone_index
       index = []
-      
-      # Ignoring particular files:
-      # +VERSION is included on Mac OS X.
-      # leapseconds is a list of leap seconds.
-        # localtime is the current local timezone (may be a link).
-      # posix, posixrules and right are directories containing other versions of the zoneinfo files.
-      # src is a directory containing the tzdata source included on Solaris.
-      # timeconfig is a symlink included on Slackware.
-      
-      enum_timezones(nil, ['+VERSION', 'leapseconds', 'localtime', 'posix', 'posixrules', 'right', 'src', 'timeconfig']) do |identifier|
+
+      enum_timezones(nil, EXCLUDED_FILENAMES) do |identifier|
         index << identifier
       end
       

data/lib/tzinfo/zoneinfo_timezone_info.rb

@@ -313,8 +313,13 @@ module TZInfo
           last_year = (Time.at(last_defined[:at]).utc + previous_offset[:utc_total_offset]).year
 
           if last_year <= GENERATE_UP_TO
-            generated = rules.transitions(last_year).find_all {|t| t.at > last_defined[:at] } +
-              (last_year + 1).upto(GENERATE_UP_TO).map {|y| rules.transitions(y) }.flatten
+            last_defined_offset = offsets[last_defined[:offset]]
+
+            generated = rules.transitions(last_year).find_all do |t|
+              t.at > last_defined[:at] && !offset_matches_rule?(last_defined_offset, t.offset)
+            end
+
+            generated += (last_year + 1).upto(GENERATE_UP_TO).map {|y| rules.transitions(y) }.flatten
 
             unless generated.empty?
               transitions[-1] = validate_and_fix_last_defined_transition_offset(file, offsets, last_defined, generated[0].previous_offset)

data/test/assets/payload.rb

@@ -0,0 +1 @@
+raise 'This should never be executed'

data/test/tc_ruby_data_source.rb

@@ -48,9 +48,15 @@ class TCRubyDataSource < Minitest::Test
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/UTC')
+      @data_source.load_timezone_info('../definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
   
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do

data/test/tc_timezone.rb

@@ -213,7 +213,7 @@ class TCTimezone < Minitest::Test
   end
   
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
   
   def test_get_nil

data/test/tc_zoneinfo_data_source.rb

@@ -374,7 +374,7 @@ class TCZoneinfoDataSource < Minitest::Test
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/Europe/London')
+      @data_source.load_timezone_info('../zoneinfo/Europe/London')
     end
   end
   
@@ -818,6 +818,25 @@ class TCZoneinfoDataSource < Minitest::Test
     end
   end
   
+  def test_timezone_identifiers_ignored_security_file
+    # The Arch linux tzdata package includes a file named SECURITY giving
+    # instructions for reporting security-related bugs.
+
+    Dir.mktmpdir('tzinfo_test') do |dir|
+      FileUtils.touch(File.join(dir, 'zone.tab'))
+      FileUtils.touch(File.join(dir, 'iso3166.tab'))
+      FileUtils.cp(File.join(@data_source.zoneinfo_dir, 'EST'), File.join(dir, 'EST'))
+
+      File.open(File.join(dir, 'SECURITY'), 'w') do |f|
+        f.binmode
+        f.write("Please report any sensitive security-related bugs...\n")
+      end
+
+      data_source = ZoneinfoDataSource.new(dir)
+      assert_equal(['EST'], data_source.timezone_identifiers)
+    end
+  end
+
   def test_load_country_info
     info = @data_source.load_country_info('GB')
     assert_equal('GB', info.code)

data/test/tc_zoneinfo_timezone_info.rb

@@ -1895,7 +1895,18 @@ class TCZoneinfoTimezoneInfo < Minitest::Test
     end
   end
 
-  def test_load_tz_string_specifies_transition_to_offset_of_final_transition_same_year
+  def test_load_tz_string_specifies_transition_to_offset_of_final_transition_same_year_skip_dst_start
+    # TZInfo v1.2.8 considered this to be an error. However, this is a valid
+    # situation with Africa/Casablanca in 2018e.
+    #
+    # The last defined transitions are:
+    #   At 2037-03-29 02:00Z change to WEST UTC+1
+    #   At 2037-10-04 02:00Z change to WET  UTC+0
+    #
+    # The rules define the end of DST to be at 03:00 local time on the last
+    # Sunday of October (2037-10-31). This later transition needs to be
+    # ignored.
+
     offsets = [
       {:gmtoff =>  7142, :isdst => false, :abbrev => 'LMT'},
       {:gmtoff =>  7200, :isdst => false, :abbrev => 'XST'},
@@ -1916,9 +1927,76 @@ class TCZoneinfoTimezoneInfo < Minitest::Test
       JulianDayOfYearTransitionRule.new(300, 7200)
     )
 
+    generate_up_to = ZoneinfoTimezoneInfo::GENERATE_UP_TO
+
     tzif_test(offsets, transitions, :rules => rules) do |path, format|
-      error = assert_raises(InvalidZoneinfoFile) { ZoneinfoTimezoneInfo.new('Invalid/Offset', path, @posix_tz_parser) }
-      assert_equal("The first offset indicated by the POSIX-style TZ string did not match the final defined offset in file '#{path}'.", error.message)
+      info = ZoneinfoTimezoneInfo.new('Ignore/Std', path, @posix_tz_parser)
+      assert_equal('Ignore/Std', info.identifier)
+
+      assert_period(:LMT, 7142,    0, false, nil,                                     Time.utc(1971,  1,  2, 2, 0, 0) -  7142, info)
+      assert_period(:XST, 7200,    0, false, Time.utc(1971,  1,  2, 2, 0, 0) -  7142, Time.utc(1981,  4, 10, 1, 0, 0) -  7200, info)
+      assert_period(:XDT, 7200, 3600, true,  Time.utc(1981,  4, 10, 1, 0, 0) -  7200, Time.utc(1981, 10, 27, 2, 0, 0) - 10800, info)
+      assert_period(:XST, 7200,    0, false, Time.utc(1981, 10, 27, 2, 0, 0) - 10800, Time.utc(1982,  4, 10, 1, 0, 0) -  7200, info)
+      assert_period(:XDT, 7200, 3600, true,  Time.utc(1982,  4, 10, 1, 0, 0) -  7200, Time.utc(1982, 10, 27, 2, 0, 0) - 10800, info)
+
+      1983.upto(generate_up_to).each do |year|
+        assert_period(:XST, 7200,    0, false, Time.utc(year - 1, 10, 27, 2, 0, 0) - 10800, Time.utc(year,  4, 11, 1, 0, 0) -  7200, info)
+        assert_period(:XDT, 7200, 3600, true,  Time.utc(year,      4, 11, 1, 0, 0) -  7200, Time.utc(year, 10, 27, 2, 0, 0) - 10800, info)
+      end
+
+      assert_period(:XST, 7200,    0, false, Time.utc(generate_up_to, 10, 27, 2, 0, 0) - 10800, nil, info)
+    end
+  end
+
+  def test_load_tz_string_specifies_transition_to_offset_of_final_transition_same_year_skip_dst_end
+    # TZInfo v1.2.8 considered this to be an error. However, this is a valid
+    # situation with Africa/Casablanca in 2018e.
+    #
+    # The last defined transitions are:
+    #   At 2037-03-29 02:00Z change to WEST UTC+1
+    #   At 2037-10-04 02:00Z change to WET  UTC+0
+    #
+    # The rules define the end of DST to be at 03:00 local time on the last
+    # Sunday of October (2037-10-31). This later transition needs to be
+    # ignored.
+
+    offsets = [
+      {:gmtoff =>  7142, :isdst => false, :abbrev => 'LMT'},
+      {:gmtoff =>  7200, :isdst => false, :abbrev => 'XST'},
+      {:gmtoff => 10800, :isdst => true,  :abbrev => 'XDT'}
+    ]
+
+    transitions = [
+      {:at => Time.utc(1971,  1,  2, 2, 0, 0) -  7142, :offset_index => 1},
+      {:at => Time.utc(1981,  4, 10, 1, 0, 0) -  7200, :offset_index => 2},
+      {:at => Time.utc(1981, 10, 27, 2, 0, 0) - 10800, :offset_index => 1}
+    ]
+
+    rules = AnnualRules.new(
+      TimezoneOffset.new(7200, 0, 'XST'),
+      TimezoneOffset.new(7200, 3600, 'XDT'),
+      JulianDayOfYearTransitionRule.new(100, 3600),
+      JulianDayOfYearTransitionRule.new(301, 7200)
+    )
+
+    generate_up_to = ZoneinfoTimezoneInfo::GENERATE_UP_TO
+
+    tzif_test(offsets, transitions, :rules => rules) do |path, format|
+      info = ZoneinfoTimezoneInfo.new('Ignore/Std', path, @posix_tz_parser)
+      assert_equal('Ignore/Std', info.identifier)
+
+      assert_period(:LMT, 7142,    0, false, nil,                                     Time.utc(1971,  1,  2, 2, 0, 0) -  7142, info)
+      assert_period(:XST, 7200,    0, false, Time.utc(1971,  1,  2, 2, 0, 0) -  7142, Time.utc(1981,  4, 10, 1, 0, 0) -  7200, info)
+      assert_period(:XDT, 7200, 3600, true,  Time.utc(1981,  4, 10, 1, 0, 0) -  7200, Time.utc(1981, 10, 27, 2, 0, 0) - 10800, info)
+      assert_period(:XST, 7200,    0, false, Time.utc(1981, 10, 27, 2, 0, 0) - 10800, Time.utc(1982,  4, 10, 1, 0, 0) -  7200, info)
+
+      1982.upto(generate_up_to - 1).each do |year|
+        assert_period(:XDT, 7200, 3600, true,  Time.utc(year,  4, 10, 1, 0, 0) -  7200, Time.utc(year,     10, 28, 2, 0, 0) - 10800, info)
+        assert_period(:XST, 7200,    0, false, Time.utc(year, 10, 28, 2, 0, 0) - 10800, Time.utc(year + 1,  4, 10, 1, 0, 0) -  7200, info)
+      end
+
+      assert_period(:XDT, 7200, 3600, true,  Time.utc(generate_up_to,  4, 10, 1, 0, 0) -  7200, Time.utc(generate_up_to, 10, 28, 2, 0, 0) - 10800, info)
+      assert_period(:XST, 7200,    0, false, Time.utc(generate_up_to, 10, 28, 2, 0, 0) - 10800, nil,                                               info)
     end
   end
 

data/test/test_utils.rb

@@ -153,6 +153,22 @@ module Kernel
       
       actual_lines = process.readlines
       actual_lines = actual_lines.collect {|l| l.chomp}
+
+      # Ignore warnings from JRuby 1.7 and 9.0 on modern versions of Java:
+      # https://github.com/tzinfo/tzinfo/runs/1664655982#step:8:1893
+      #
+      # Ignore untaint deprecation warnings from Bundler 1 on Ruby 3.0.
+      actual_lines = actual_lines.reject do |l|
+        l.start_with?('unsupported Java version') ||
+          l.start_with?('WARNING: An illegal reflective access operation has occurred') ||
+          l.start_with?('WARNING: Illegal reflective access by') ||
+          l.start_with?('WARNING: Please consider reporting this to the maintainers of') ||
+          l.start_with?('WARNING: All illegal access operations will be denied in a future release') ||
+          l.start_with?('WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations') ||
+          l.start_with?('io/console on JRuby shells out to stty for most operations') ||
+          l =~ /\/bundler-1\..*\/lib\/bundler\/.*\.rb:\d+: warning: (Object|Pathname)#untaint is deprecated and will be removed in Ruby 3\.2\.\z/
+      end
+
       assert_equal(expected_lines, actual_lines)
     end
   end

data/tzinfo.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'tzinfo'
-  s.version = '1.2.8'
+  s.version = '1.2.10'
   s.summary = 'Daylight savings aware timezone library'
   s.description = 'TZInfo provides daylight savings aware transformations between times in different time zones.'
   s.author = 'Philip Ross'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tzinfo
 version: !ruby/object:Gem::Version
-  version: 1.2.8
+  version: 1.2.10
 platform: ruby
 authors:
 - Philip Ross
@@ -29,7 +29,7 @@ cert_chain:
   J3Zn/kSTjTekiaspyGbczC3PUaeJNxr+yCvR4sk71Xmk/GaKKGOHedJ1uj/LAXrA
   MR0mpl7b8zCg0PFC1J73uw==
   -----END CERTIFICATE-----
-date: 2020-11-08 00:00:00.000000000 Z
+date: 2022-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thread_safe
@@ -92,6 +92,7 @@ files:
 - lib/tzinfo/zoneinfo_country_info.rb
 - lib/tzinfo/zoneinfo_data_source.rb
 - lib/tzinfo/zoneinfo_timezone_info.rb
+- test/assets/payload.rb
 - test/tc_annual_rules.rb
 - test/tc_country.rb
 - test/tc_country_index_definition.rb
@@ -190,7 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Daylight savings aware timezone library