tzinfo 1.2.9 → 1.2.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGES.md +16 -0
- data/LICENSE +1 -1
- data/README.md +1 -1
- data/lib/tzinfo/ruby_core_support.rb +16 -9
- data/lib/tzinfo/ruby_data_source.rb +3 -7
- data/lib/tzinfo/zoneinfo_data_source.rb +27 -20
- data/lib/tzinfo/zoneinfo_timezone_info.rb +1 -5
- data/test/assets/payload.rb +1 -0
- data/test/tc_country.rb +6 -4
- data/test/tc_ruby_data_source.rb +13 -5
- data/test/tc_timezone.rb +5 -5
- data/test/tc_zoneinfo_data_source.rb +34 -12
- data/test/tc_zoneinfo_timezone_info.rb +1 -5
- data/test/test_utils.rb +35 -13
- data/test/ts_all_zoneinfo.rb +1 -1
- data/tzinfo.gemspec +1 -1
- data.tar.gz.sig +0 -0
- metadata +4 -3
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0c5144874478331106359b387585793f77f3d3dfe8ae0fd86ffeceff71c86342
|
4
|
+
data.tar.gz: db94ffee0228f3afa5737b2c2003d258b23b2915919999e7349cf47c047c7cef
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7aa784cba67cb6908503874be5a5c618052c2d508a6f3f2c76d5fc5339b09970cda98719ecc3cbc5fee743657cd9ca457705fc98fa01a3b79ee156dea3c9ddc9
|
7
|
+
data.tar.gz: 86f994ba37c3e1f38d343d828a58bada483d658544a5f8780b4ed0d28b3a8cadc5bd0a8729e07468fe2d69147ff04342faad614ffdc0dc03ced90dc6a11a3171
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data/CHANGES.md
CHANGED
@@ -1,3 +1,19 @@
|
|
1
|
+
Version 1.2.11 - 28-Jan-2023
|
2
|
+
----------------------------
|
3
|
+
|
4
|
+
* Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.
|
5
|
+
|
6
|
+
|
7
|
+
Version 1.2.10 - 19-Jul-2022
|
8
|
+
----------------------------
|
9
|
+
|
10
|
+
* Fixed a relative path traversal bug that could cause arbitrary files to be
|
11
|
+
loaded with require when used with RubyDataSource. Please refer to
|
12
|
+
https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for
|
13
|
+
details. CVE-2022-31163.
|
14
|
+
* Ignore the SECURITY file from Arch Linux's tzdata package. #134.
|
15
|
+
|
16
|
+
|
1
17
|
Version 1.2.9 - 16-Dec-2020
|
2
18
|
---------------------------
|
3
19
|
|
data/LICENSE
CHANGED
data/README.md
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
TZInfo - Ruby Timezone Library
|
2
2
|
==============================
|
3
3
|
|
4
|
-
[![RubyGems](https://img.shields.io/gem/v/tzinfo)](https://rubygems.org/gems/tzinfo) [![
|
4
|
+
[![RubyGems](https://img.shields.io/gem/v/tzinfo?logo=rubygems&label=Gem)](https://rubygems.org/gems/tzinfo) [![Tests](https://github.com/tzinfo/tzinfo/workflows/Tests/badge.svg?branch=1.2&event=push)](https://github.com/tzinfo/tzinfo/actions?query=workflow%3ATests+branch%3A1.2+event%3Apush)
|
5
5
|
|
6
6
|
[TZInfo](https://tzinfo.github.io) provides daylight savings aware
|
7
7
|
transformations between times in different timezones.
|
@@ -153,16 +153,23 @@ module TZInfo
|
|
153
153
|
end
|
154
154
|
|
155
155
|
|
156
|
-
# Object#untaint is a
|
157
|
-
# 3.2.
|
158
|
-
# if needed.
|
156
|
+
# Object#untaint is deprecated and becomes a no-op in Ruby >= 2.7. It has
|
157
|
+
# been removed from Ruby 3.2.
|
159
158
|
if !Object.new.respond_to?(:untaint) || RUBY_VERSION =~ /\A(\d+)\.(\d+)(?:\.|\z)/ && ($1 == '2' && $2.to_i >= 7 || $1.to_i >= 3)
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
159
|
+
# Returns the supplied `Object`
|
160
|
+
#
|
161
|
+
# @param o [Object] the `Object` to untaint.
|
162
|
+
# @return [Object] `o`.
|
163
|
+
def self.untaint(o)
|
164
|
+
o
|
165
|
+
end
|
166
|
+
else
|
167
|
+
# Untaints and returns the supplied `Object`.
|
168
|
+
#
|
169
|
+
# @param o [Object] the `Object` to untaint.
|
170
|
+
# @return [Object] `o`.
|
171
|
+
def self.untaint(o)
|
172
|
+
o.untaint
|
166
173
|
end
|
167
174
|
end
|
168
175
|
end
|
@@ -1,8 +1,4 @@
|
|
1
1
|
module TZInfo
|
2
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors
|
3
|
-
# with JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
4
|
-
send(:using, RubyCoreSupport::UntaintExt) if RubyCoreSupport.const_defined?(:UntaintExt)
|
5
|
-
|
6
2
|
# A DataSource that loads data from the set of Ruby modules included in the
|
7
3
|
# TZInfo::Data library (tzinfo-data gem).
|
8
4
|
#
|
@@ -25,7 +21,7 @@ module TZInfo
|
|
25
21
|
data_file = File.join('', 'tzinfo', 'data.rb')
|
26
22
|
path = $".reverse_each.detect {|p| p.end_with?(data_file) }
|
27
23
|
if path
|
28
|
-
@base_path = File.join(File.dirname(path), 'data')
|
24
|
+
@base_path = RubyCoreSupport.untaint(File.join(File.dirname(path), 'data'))
|
29
25
|
else
|
30
26
|
@base_path = tzinfo_data
|
31
27
|
end
|
@@ -38,14 +34,14 @@ module TZInfo
|
|
38
34
|
# Raises InvalidTimezoneIdentifier if the timezone is not found or the
|
39
35
|
# identifier is invalid.
|
40
36
|
def load_timezone_info(identifier)
|
41
|
-
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~
|
37
|
+
raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
|
42
38
|
|
43
39
|
identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
|
44
40
|
|
45
41
|
# Untaint identifier after it has been reassigned to a new string. We
|
46
42
|
# don't want to modify the original identifier. identifier may also be
|
47
43
|
# frozen and therefore cannot be untainted.
|
48
|
-
|
44
|
+
RubyCoreSupport.untaint(identifier)
|
49
45
|
|
50
46
|
identifier = identifier.split('/')
|
51
47
|
begin
|
@@ -1,12 +1,4 @@
|
|
1
1
|
module TZInfo
|
2
|
-
# Use send as a workaround for an issue on JRuby 9.2.9.0 where using the
|
3
|
-
# refinement causes calls to RubyCoreSupport.file_open to fail to pass the
|
4
|
-
# block parameter.
|
5
|
-
#
|
6
|
-
# https://travis-ci.org/tzinfo/tzinfo/jobs/628812051#L1931
|
7
|
-
# https://github.com/jruby/jruby/issues/6009
|
8
|
-
send(:using, TZInfo::RubyCoreSupport::UntaintExt) if TZInfo::RubyCoreSupport.const_defined?(:UntaintExt)
|
9
|
-
|
10
2
|
# An InvalidZoneinfoDirectory exception is raised if the DataSource is
|
11
3
|
# set to a specific zoneinfo path, which is not a valid zoneinfo directory
|
12
4
|
# (i.e. a directory containing index files named iso3166.tab and zone.tab
|
@@ -87,6 +79,29 @@ module TZInfo
|
|
87
79
|
# The default value of ZoneinfoDataSource.alternate_iso3166_tab_search_path.
|
88
80
|
DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH = ['/usr/share/misc/iso3166.tab', '/usr/share/misc/iso3166'].freeze
|
89
81
|
|
82
|
+
# File and directories in the top level zoneinfo directory that will be
|
83
|
+
# excluded from the list of available time zones:
|
84
|
+
#
|
85
|
+
# - +VERSION is included on Mac OS X.
|
86
|
+
# - leapseconds is a list of leap seconds.
|
87
|
+
# - localtime is the current local timezone (may be a link).
|
88
|
+
# - posix, posixrules and right are directories containing other versions
|
89
|
+
# of the zoneinfo files.
|
90
|
+
# - SECURITY is included in the Arch Linux tzdata package.
|
91
|
+
# - src is a directory containing the tzdata source included on Solaris.
|
92
|
+
# - timeconfig is a symlink included on Slackware.
|
93
|
+
EXCLUDED_FILENAMES = [
|
94
|
+
'+VERSION',
|
95
|
+
'leapseconds',
|
96
|
+
'localtime',
|
97
|
+
'posix',
|
98
|
+
'posixrules',
|
99
|
+
'right',
|
100
|
+
'SECURITY',
|
101
|
+
'src',
|
102
|
+
'timeconfig'
|
103
|
+
].freeze
|
104
|
+
|
90
105
|
# Paths to be checked to find the system zoneinfo directory.
|
91
106
|
@@search_path = DEFAULT_SEARCH_PATH.dup
|
92
107
|
|
@@ -206,7 +221,7 @@ module TZInfo
|
|
206
221
|
# Untaint path rather than identifier. We don't want to modify
|
207
222
|
# identifier. identifier may also be frozen and therefore cannot be
|
208
223
|
# untainted.
|
209
|
-
|
224
|
+
RubyCoreSupport.untaint(path)
|
210
225
|
|
211
226
|
begin
|
212
227
|
ZoneinfoTimezoneInfo.new(identifier, path, @posix_tz_parser)
|
@@ -352,16 +367,8 @@ module TZInfo
|
|
352
367
|
# identifiers.
|
353
368
|
def load_timezone_index
|
354
369
|
index = []
|
355
|
-
|
356
|
-
|
357
|
-
# +VERSION is included on Mac OS X.
|
358
|
-
# leapseconds is a list of leap seconds.
|
359
|
-
# localtime is the current local timezone (may be a link).
|
360
|
-
# posix, posixrules and right are directories containing other versions of the zoneinfo files.
|
361
|
-
# src is a directory containing the tzdata source included on Solaris.
|
362
|
-
# timeconfig is a symlink included on Slackware.
|
363
|
-
|
364
|
-
enum_timezones(nil, ['+VERSION', 'leapseconds', 'localtime', 'posix', 'posixrules', 'right', 'src', 'timeconfig']) do |identifier|
|
370
|
+
|
371
|
+
enum_timezones(nil, EXCLUDED_FILENAMES) do |identifier|
|
365
372
|
index << identifier
|
366
373
|
end
|
367
374
|
|
@@ -373,7 +380,7 @@ module TZInfo
|
|
373
380
|
def enum_timezones(dir, exclude = [], &block)
|
374
381
|
Dir.foreach(dir ? File.join(@zoneinfo_dir, dir) : @zoneinfo_dir) do |entry|
|
375
382
|
unless entry =~ /\./ || exclude.include?(entry)
|
376
|
-
|
383
|
+
RubyCoreSupport.untaint(entry)
|
377
384
|
path = dir ? File.join(dir, entry) : entry
|
378
385
|
full_path = File.join(@zoneinfo_dir, path)
|
379
386
|
|
@@ -1,8 +1,4 @@
|
|
1
1
|
module TZInfo
|
2
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors
|
3
|
-
# with JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
4
|
-
send(:using, RubyCoreSupport::UntaintExt) if RubyCoreSupport.const_defined?(:UntaintExt)
|
5
|
-
|
6
2
|
# An InvalidZoneinfoFile exception is raised if an attempt is made to load an
|
7
3
|
# invalid zoneinfo file.
|
8
4
|
class InvalidZoneinfoFile < StandardError
|
@@ -351,7 +347,7 @@ module TZInfo
|
|
351
347
|
std_offset = 0
|
352
348
|
end
|
353
349
|
|
354
|
-
offset index, utc_offset, std_offset, offset[:abbr].
|
350
|
+
offset index, utc_offset, std_offset, RubyCoreSupport.untaint(offset[:abbr]).to_sym
|
355
351
|
end
|
356
352
|
|
357
353
|
# Parses a zoneinfo file and intializes the DataTimezoneInfo structures.
|
@@ -0,0 +1 @@
|
|
1
|
+
raise 'This should never be executed'
|
data/test/tc_country.rb
CHANGED
@@ -2,10 +2,6 @@ require File.join(File.expand_path(File.dirname(__FILE__)), 'test_utils')
|
|
2
2
|
|
3
3
|
include TZInfo
|
4
4
|
|
5
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors with
|
6
|
-
# JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
7
|
-
send(:using, TaintExt) if Module.const_defined?(:TaintExt)
|
8
|
-
|
9
5
|
class TCCountry < Minitest::Test
|
10
6
|
def setup
|
11
7
|
@orig_data_source = DataSource.get
|
@@ -48,6 +44,7 @@ class TCCountry < Minitest::Test
|
|
48
44
|
end
|
49
45
|
|
50
46
|
def test_get_tainted_loaded
|
47
|
+
skip_if_taint_is_undefined_or_no_op
|
51
48
|
Country.get('GB')
|
52
49
|
|
53
50
|
safe_test(:unavailable => :skip) do
|
@@ -60,6 +57,7 @@ class TCCountry < Minitest::Test
|
|
60
57
|
end
|
61
58
|
|
62
59
|
def test_get_tainted_and_frozen_loaded
|
60
|
+
skip_if_taint_is_undefined_or_no_op
|
63
61
|
Country.get('GB')
|
64
62
|
|
65
63
|
safe_test do
|
@@ -69,6 +67,8 @@ class TCCountry < Minitest::Test
|
|
69
67
|
end
|
70
68
|
|
71
69
|
def test_get_tainted_not_previously_loaded
|
70
|
+
skip_if_taint_is_undefined_or_no_op
|
71
|
+
|
72
72
|
safe_test(:unavailable => :skip) do
|
73
73
|
code = 'GB'.dup.taint
|
74
74
|
assert(code.tainted?)
|
@@ -79,6 +79,8 @@ class TCCountry < Minitest::Test
|
|
79
79
|
end
|
80
80
|
|
81
81
|
def test_get_tainted_and_frozen_not_previously_loaded
|
82
|
+
skip_if_taint_is_undefined_or_no_op
|
83
|
+
|
82
84
|
safe_test do
|
83
85
|
country = Country.get('GB'.dup.taint.freeze)
|
84
86
|
assert_equal('GB', country.code)
|
data/test/tc_ruby_data_source.rb
CHANGED
@@ -2,10 +2,6 @@ require File.join(File.expand_path(File.dirname(__FILE__)), 'test_utils')
|
|
2
2
|
|
3
3
|
include TZInfo
|
4
4
|
|
5
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors with
|
6
|
-
# JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
7
|
-
send(:using, TaintExt) if Module.const_defined?(:TaintExt)
|
8
|
-
|
9
5
|
class TCRubyDataSource < Minitest::Test
|
10
6
|
def setup
|
11
7
|
@data_source = RubyDataSource.new
|
@@ -48,9 +44,15 @@ class TCRubyDataSource < Minitest::Test
|
|
48
44
|
|
49
45
|
def test_load_timezone_info_invalid
|
50
46
|
assert_raises(InvalidTimezoneIdentifier) do
|
51
|
-
@data_source.load_timezone_info('../
|
47
|
+
@data_source.load_timezone_info('../definitions/UTC')
|
52
48
|
end
|
53
49
|
end
|
50
|
+
|
51
|
+
def test_load_timezone_info_directory_traversal
|
52
|
+
test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
|
53
|
+
payload_path = File.join(TESTS_DIR, 'assets', 'payload')
|
54
|
+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
|
55
|
+
end
|
54
56
|
|
55
57
|
def test_load_timezone_info_nil
|
56
58
|
assert_raises(InvalidTimezoneIdentifier) do
|
@@ -75,6 +77,7 @@ class TCRubyDataSource < Minitest::Test
|
|
75
77
|
end
|
76
78
|
|
77
79
|
def test_load_timezone_info_tainted
|
80
|
+
skip_if_taint_is_undefined_or_no_op
|
78
81
|
skip_if_has_bug_14060
|
79
82
|
|
80
83
|
safe_test(:unavailable => :skip) do
|
@@ -87,6 +90,7 @@ class TCRubyDataSource < Minitest::Test
|
|
87
90
|
end
|
88
91
|
|
89
92
|
def test_load_timezone_info_tainted_and_frozen
|
93
|
+
skip_if_taint_is_undefined_or_no_op
|
90
94
|
skip_if_has_bug_14060
|
91
95
|
|
92
96
|
safe_test do
|
@@ -143,6 +147,8 @@ class TCRubyDataSource < Minitest::Test
|
|
143
147
|
end
|
144
148
|
|
145
149
|
def test_load_country_info_tainted
|
150
|
+
skip_if_taint_is_undefined_or_no_op
|
151
|
+
|
146
152
|
safe_test(:unavailable => :skip) do
|
147
153
|
code = 'NL'.dup.taint
|
148
154
|
assert(code.tainted?)
|
@@ -153,6 +159,8 @@ class TCRubyDataSource < Minitest::Test
|
|
153
159
|
end
|
154
160
|
|
155
161
|
def test_load_country_info_tainted_and_frozen
|
162
|
+
skip_if_taint_is_undefined_or_no_op
|
163
|
+
|
156
164
|
safe_test do
|
157
165
|
info = @data_source.load_country_info('NL'.dup.taint.freeze)
|
158
166
|
assert_equal('NL', info.code)
|
data/test/tc_timezone.rb
CHANGED
@@ -2,10 +2,6 @@ require File.join(File.expand_path(File.dirname(__FILE__)), 'test_utils')
|
|
2
2
|
|
3
3
|
include TZInfo
|
4
4
|
|
5
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors with
|
6
|
-
# JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
7
|
-
send(:using, TaintExt) if Module.const_defined?(:TaintExt)
|
8
|
-
|
9
5
|
class TCTimezone < Minitest::Test
|
10
6
|
|
11
7
|
class BlockCalled < StandardError
|
@@ -213,7 +209,7 @@ class TCTimezone < Minitest::Test
|
|
213
209
|
end
|
214
210
|
|
215
211
|
def test_get_invalid
|
216
|
-
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../
|
212
|
+
assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
|
217
213
|
end
|
218
214
|
|
219
215
|
def test_get_nil
|
@@ -244,6 +240,7 @@ class TCTimezone < Minitest::Test
|
|
244
240
|
end
|
245
241
|
|
246
242
|
def test_get_tainted_loaded
|
243
|
+
skip_if_taint_is_undefined_or_no_op
|
247
244
|
Timezone.get('Europe/Andorra')
|
248
245
|
|
249
246
|
safe_test(:unavailable => :skip) do
|
@@ -256,6 +253,7 @@ class TCTimezone < Minitest::Test
|
|
256
253
|
end
|
257
254
|
|
258
255
|
def test_get_tainted_and_frozen_loaded
|
256
|
+
skip_if_taint_is_undefined_or_no_op
|
259
257
|
Timezone.get('Europe/Andorra')
|
260
258
|
|
261
259
|
safe_test do
|
@@ -265,6 +263,7 @@ class TCTimezone < Minitest::Test
|
|
265
263
|
end
|
266
264
|
|
267
265
|
def test_get_tainted_not_previously_loaded
|
266
|
+
skip_if_taint_is_undefined_or_no_op
|
268
267
|
skip_if_has_bug_14060
|
269
268
|
|
270
269
|
safe_test(:unavailable => :skip) do
|
@@ -277,6 +276,7 @@ class TCTimezone < Minitest::Test
|
|
277
276
|
end
|
278
277
|
|
279
278
|
def test_get_tainted_and_frozen_not_previously_loaded
|
279
|
+
skip_if_taint_is_undefined_or_no_op
|
280
280
|
skip_if_has_bug_14060
|
281
281
|
|
282
282
|
safe_test do
|
@@ -7,17 +7,8 @@ require 'tmpdir'
|
|
7
7
|
|
8
8
|
include TZInfo
|
9
9
|
|
10
|
-
# Use send as a workaround for an issue on JRuby 9.2.9.0 where using the
|
11
|
-
# refinement causes calls to RubyCoreSupport.file_open to fail to pass the block
|
12
|
-
# parameter.
|
13
|
-
#
|
14
|
-
# https://travis-ci.org/tzinfo/tzinfo/jobs/628812051#L1931
|
15
|
-
# https://github.com/jruby/jruby/issues/6009
|
16
|
-
send(:using, TZInfo::RubyCoreSupport::UntaintExt) if TZInfo::RubyCoreSupport.const_defined?(:UntaintExt)
|
17
|
-
send(:using, TaintExt) if Module.const_defined?(:TaintExt)
|
18
|
-
|
19
10
|
class TCZoneinfoDataSource < Minitest::Test
|
20
|
-
ZONEINFO_DIR = File.join(File.expand_path(File.dirname(__FILE__)), 'zoneinfo')
|
11
|
+
ZONEINFO_DIR = RubyCoreSupport.untaint(File.join(File.expand_path(File.dirname(__FILE__)), 'zoneinfo'))
|
21
12
|
|
22
13
|
def setup
|
23
14
|
@orig_search_path = ZoneinfoDataSource.search_path.clone
|
@@ -374,7 +365,7 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
374
365
|
|
375
366
|
def test_load_timezone_info_invalid
|
376
367
|
assert_raises(InvalidTimezoneIdentifier) do
|
377
|
-
@data_source.load_timezone_info('../
|
368
|
+
@data_source.load_timezone_info('../zoneinfo/Europe/London')
|
378
369
|
end
|
379
370
|
end
|
380
371
|
|
@@ -662,6 +653,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
662
653
|
end
|
663
654
|
|
664
655
|
def test_load_timezone_info_tainted
|
656
|
+
skip_if_taint_is_undefined_or_no_op
|
657
|
+
|
665
658
|
safe_test(:unavailable => :skip) do
|
666
659
|
identifier = 'Europe/Amsterdam'.dup.taint
|
667
660
|
assert(identifier.tainted?)
|
@@ -672,6 +665,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
672
665
|
end
|
673
666
|
|
674
667
|
def test_load_timezone_info_tainted_and_frozen
|
668
|
+
skip_if_taint_is_undefined_or_no_op
|
669
|
+
|
675
670
|
safe_test do
|
676
671
|
info = @data_source.load_timezone_info('Europe/Amsterdam'.dup.taint.freeze)
|
677
672
|
assert_equal('Europe/Amsterdam', info.identifier)
|
@@ -679,6 +674,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
679
674
|
end
|
680
675
|
|
681
676
|
def test_load_timezone_info_tainted_zoneinfo_dir_safe_mode
|
677
|
+
skip_if_taint_is_undefined_or_no_op
|
678
|
+
|
682
679
|
safe_test(:unavailable => :skip) do
|
683
680
|
assert_raises(SecurityError) do
|
684
681
|
ZoneinfoDataSource.new(@data_source.zoneinfo_dir.dup.taint)
|
@@ -687,6 +684,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
687
684
|
end
|
688
685
|
|
689
686
|
def test_load_timezone_info_tainted_zoneinfo_dir
|
687
|
+
skip_if_taint_is_undefined_or_no_op
|
688
|
+
|
690
689
|
data_source = ZoneinfoDataSource.new(@data_source.zoneinfo_dir.dup.taint)
|
691
690
|
info = data_source.load_timezone_info('Europe/London')
|
692
691
|
assert_kind_of(ZoneinfoTimezoneInfo, info)
|
@@ -697,7 +696,7 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
697
696
|
entries = Dir.glob(File.join(directory, '**', '*'))
|
698
697
|
|
699
698
|
entries = entries.select do |file|
|
700
|
-
|
699
|
+
RubyCoreSupport.untaint(file)
|
701
700
|
File.file?(file)
|
702
701
|
end
|
703
702
|
|
@@ -818,6 +817,25 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
818
817
|
end
|
819
818
|
end
|
820
819
|
|
820
|
+
def test_timezone_identifiers_ignored_security_file
|
821
|
+
# The Arch linux tzdata package includes a file named SECURITY giving
|
822
|
+
# instructions for reporting security-related bugs.
|
823
|
+
|
824
|
+
Dir.mktmpdir('tzinfo_test') do |dir|
|
825
|
+
FileUtils.touch(File.join(dir, 'zone.tab'))
|
826
|
+
FileUtils.touch(File.join(dir, 'iso3166.tab'))
|
827
|
+
FileUtils.cp(File.join(@data_source.zoneinfo_dir, 'EST'), File.join(dir, 'EST'))
|
828
|
+
|
829
|
+
File.open(File.join(dir, 'SECURITY'), 'w') do |f|
|
830
|
+
f.binmode
|
831
|
+
f.write("Please report any sensitive security-related bugs...\n")
|
832
|
+
end
|
833
|
+
|
834
|
+
data_source = ZoneinfoDataSource.new(dir)
|
835
|
+
assert_equal(['EST'], data_source.timezone_identifiers)
|
836
|
+
end
|
837
|
+
end
|
838
|
+
|
821
839
|
def test_load_country_info
|
822
840
|
info = @data_source.load_country_info('GB')
|
823
841
|
assert_equal('GB', info.code)
|
@@ -849,6 +867,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
849
867
|
end
|
850
868
|
|
851
869
|
def test_load_country_info_tainted
|
870
|
+
skip_if_taint_is_undefined_or_no_op
|
871
|
+
|
852
872
|
safe_test(:unavailable => :skip) do
|
853
873
|
code = 'NL'.dup.taint
|
854
874
|
assert(code.tainted?)
|
@@ -859,6 +879,8 @@ class TCZoneinfoDataSource < Minitest::Test
|
|
859
879
|
end
|
860
880
|
|
861
881
|
def test_load_country_info_tainted_and_frozen
|
882
|
+
skip_if_taint_is_undefined_or_no_op
|
883
|
+
|
862
884
|
safe_test do
|
863
885
|
info = @data_source.load_country_info('NL'.dup.taint.freeze)
|
864
886
|
assert_equal('NL', info.code)
|
@@ -5,10 +5,6 @@ require 'tempfile'
|
|
5
5
|
|
6
6
|
include TZInfo
|
7
7
|
|
8
|
-
# Use send as a workaround for erroneous 'wrong number of arguments' errors with
|
9
|
-
# JRuby 9.0.5.0 when calling methods with Java implementations. See #114.
|
10
|
-
send(:using, RubyCoreSupport::UntaintExt) if RubyCoreSupport.const_defined?(:UntaintExt)
|
11
|
-
|
12
8
|
class TCZoneinfoTimezoneInfo < Minitest::Test
|
13
9
|
class FakePosixTimeZoneParser
|
14
10
|
def initialize(&block)
|
@@ -1281,7 +1277,7 @@ class TCZoneinfoTimezoneInfo < Minitest::Test
|
|
1281
1277
|
|
1282
1278
|
tzif_test(offsets, []) do |path, format|
|
1283
1279
|
# untaint only required for Ruby 1.9.2
|
1284
|
-
|
1280
|
+
RubyCoreSupport.untaint(path)
|
1285
1281
|
|
1286
1282
|
safe_test do
|
1287
1283
|
info = ZoneinfoTimezoneInfo.new('Zone/three', path, @posix_tz_parser)
|
data/test/test_utils.rb
CHANGED
@@ -108,6 +108,25 @@ module Kernel
|
|
108
108
|
skip('Skipping test due to Ruby 2.4.4 being affected by Bug 14060 (see https://bugs.ruby-lang.org/issues/14060#note-5)')
|
109
109
|
end
|
110
110
|
end
|
111
|
+
|
112
|
+
# Object#taint is deprecated in Ruby >= 2.7 and will be removed in 3.2.
|
113
|
+
# 2.7 makes it a no-op with a warning.
|
114
|
+
# Define a method that will skip for use in tests that deal with tainted
|
115
|
+
# objects.
|
116
|
+
if Object.respond_to?(:taint)
|
117
|
+
if RUBY_VERSION >= '2.7'
|
118
|
+
def skip_if_taint_is_undefined_or_no_op
|
119
|
+
skip('Object#taint is a no-op')
|
120
|
+
end
|
121
|
+
else
|
122
|
+
def skip_if_taint_is_undefined_or_no_op
|
123
|
+
end
|
124
|
+
end
|
125
|
+
else
|
126
|
+
def skip_if_taint_is_undefined_or_no_op
|
127
|
+
skip('Object#taint is not defined')
|
128
|
+
end
|
129
|
+
end
|
111
130
|
|
112
131
|
def assert_array_same_items(expected, actual, msg = nil)
|
113
132
|
full_message = message(msg, '') { diff(expected, actual) }
|
@@ -153,6 +172,22 @@ module Kernel
|
|
153
172
|
|
154
173
|
actual_lines = process.readlines
|
155
174
|
actual_lines = actual_lines.collect {|l| l.chomp}
|
175
|
+
|
176
|
+
# Ignore warnings from JRuby 1.7 and 9.0 on modern versions of Java:
|
177
|
+
# https://github.com/tzinfo/tzinfo/runs/1664655982#step:8:1893
|
178
|
+
#
|
179
|
+
# Ignore untaint deprecation warnings from Bundler 1 on Ruby 3.0.
|
180
|
+
actual_lines = actual_lines.reject do |l|
|
181
|
+
l.start_with?('unsupported Java version') ||
|
182
|
+
l.start_with?('WARNING: An illegal reflective access operation has occurred') ||
|
183
|
+
l.start_with?('WARNING: Illegal reflective access by') ||
|
184
|
+
l.start_with?('WARNING: Please consider reporting this to the maintainers of') ||
|
185
|
+
l.start_with?('WARNING: All illegal access operations will be denied in a future release') ||
|
186
|
+
l.start_with?('WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations') ||
|
187
|
+
l.start_with?('io/console on JRuby shells out to stty for most operations') ||
|
188
|
+
l =~ /\/bundler-1\..*\/lib\/bundler\/.*\.rb:\d+: warning: (Object|Pathname)#untaint is deprecated and will be removed in Ruby 3\.2\.\z/
|
189
|
+
end
|
190
|
+
|
156
191
|
assert_equal(expected_lines, actual_lines)
|
157
192
|
end
|
158
193
|
end
|
@@ -168,19 +203,6 @@ module Kernel
|
|
168
203
|
end
|
169
204
|
|
170
205
|
|
171
|
-
# Object#taint is a deprecated no-op in Ruby 2.7 and outputs a warning. It will
|
172
|
-
# be removed in 3.2. Silence the warning or supply a replacement.
|
173
|
-
if TZInfo::RubyCoreSupport.const_defined?(:UntaintExt)
|
174
|
-
module TaintExt
|
175
|
-
refine Object do
|
176
|
-
def taint
|
177
|
-
self
|
178
|
-
end
|
179
|
-
end
|
180
|
-
end
|
181
|
-
end
|
182
|
-
|
183
|
-
|
184
206
|
# JRuby 1.7.5 to 1.7.9 consider DateTime instances that differ by less than
|
185
207
|
# 1 millisecond to be equivalent (https://github.com/jruby/jruby/issues/1311).
|
186
208
|
#
|
data/test/ts_all_zoneinfo.rb
CHANGED
@@ -3,7 +3,7 @@ require File.join(File.expand_path(File.dirname(__FILE__)), 'test_utils.rb')
|
|
3
3
|
# Use a zoneinfo directory containing files needed by the tests.
|
4
4
|
# The symlinks in this directory are set up in test_utils.rb.
|
5
5
|
zoneinfo_path = File.join(File.expand_path(File.dirname(__FILE__)), 'zoneinfo')
|
6
|
-
|
6
|
+
TZInfo.const_get(:RubyCoreSupport).untaint(zoneinfo_path) if RUBY_VERSION < '2.7'
|
7
7
|
TZInfo::DataSource.set(:zoneinfo, zoneinfo_path)
|
8
8
|
|
9
9
|
require File.join(File.expand_path(File.dirname(__FILE__)), 'ts_all.rb')
|
data/tzinfo.gemspec
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'tzinfo'
|
3
|
-
s.version = '1.2.
|
3
|
+
s.version = '1.2.11'
|
4
4
|
s.summary = 'Daylight savings aware timezone library'
|
5
5
|
s.description = 'TZInfo provides daylight savings aware transformations between times in different time zones.'
|
6
6
|
s.author = 'Philip Ross'
|
data.tar.gz.sig
CHANGED
Binary file
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tzinfo
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.2.
|
4
|
+
version: 1.2.11
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Philip Ross
|
@@ -29,7 +29,7 @@ cert_chain:
|
|
29
29
|
J3Zn/kSTjTekiaspyGbczC3PUaeJNxr+yCvR4sk71Xmk/GaKKGOHedJ1uj/LAXrA
|
30
30
|
MR0mpl7b8zCg0PFC1J73uw==
|
31
31
|
-----END CERTIFICATE-----
|
32
|
-
date:
|
32
|
+
date: 2023-01-28 00:00:00.000000000 Z
|
33
33
|
dependencies:
|
34
34
|
- !ruby/object:Gem::Dependency
|
35
35
|
name: thread_safe
|
@@ -92,6 +92,7 @@ files:
|
|
92
92
|
- lib/tzinfo/zoneinfo_country_info.rb
|
93
93
|
- lib/tzinfo/zoneinfo_data_source.rb
|
94
94
|
- lib/tzinfo/zoneinfo_timezone_info.rb
|
95
|
+
- test/assets/payload.rb
|
95
96
|
- test/tc_annual_rules.rb
|
96
97
|
- test/tc_country.rb
|
97
98
|
- test/tc_country_index_definition.rb
|
@@ -190,7 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
190
191
|
- !ruby/object:Gem::Version
|
191
192
|
version: '0'
|
192
193
|
requirements: []
|
193
|
-
rubygems_version: 3.
|
194
|
+
rubygems_version: 3.4.5
|
194
195
|
signing_key:
|
195
196
|
specification_version: 4
|
196
197
|
summary: Daylight savings aware timezone library
|
metadata.gz.sig
CHANGED
Binary file
|