RubyGems - tzinfo - Versions diffs - 1.2.9 → 1.2.10 - Mend

tzinfo 1.2.9 → 1.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +2 -3
data/CHANGES.md +10 -0
data/LICENSE +1 -1
data/README.md +1 -1
data/lib/tzinfo/ruby_data_source.rb +1 -1
data/lib/tzinfo/zoneinfo_data_source.rb +25 -10
data/test/assets/payload.rb +1 -0
data/test/tc_ruby_data_source.rb +7 -1
data/test/tc_timezone.rb +1 -1
data/test/tc_zoneinfo_data_source.rb +20 -1
data/test/test_utils.rb +16 -0
data/tzinfo.gemspec +1 -1
data.tar.gz.sig +0 -0
metadata +4 -3
metadata.gz.sig +0 -0

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ddfbcb761e22870203af94d9cd3d47254ce0487d49ab51d804190d7d1961c125
-  data.tar.gz: f1e1f7eb70f406974d3fdbcda4cb78a6e2fa0842c0a6ec912fe80986a59e57fa
+  metadata.gz: e6364432a0aef34ccf3b6b1ecad65dd6f7f13843ac503cbcea1f693b74c96b46
+  data.tar.gz: 825fd6905101f51fa700dfa682490851952de8a692c03954d12f38944f8814c8
 SHA512:
-  metadata.gz: 5fe024d4d8c134dc324dedab7e6bca66293cf52e80ca16a3d32222e961dd5b563eead2bd110a72a212e7cde0e8ad0c87bc075ce19ad06e3d46ee0b3c3fb45c0a
-  data.tar.gz: 2c9c48dd44315d61129850ee160932f64afb1e90d8ca82dcd9388b2a79699c3b140340c9541ef822ba02d0791bc4df7c1c7e5a15c9d5840d37f177c1e5942242
+  metadata.gz: ef4b1b6a189bbf011294210d2e0651f41bc82e1db8fe342c9f8dbcefd473e8b49b9affa67bc9a395a5831b376db8d37b5942cfade1dacf5485f23ce3d6f78a46
+  data.tar.gz: 2871fbd7aded391c88a74724138073675690710dfca6adbbbe610ec4395e8d6631fad93b22d684650d04d9affeed0ab64a1d7489f766eb9ab1996556329c6ddc

checksums.yaml.gz.sig CHANGED Viewed

@@ -1,3 +1,2 @@
-3�y�=��Q��h�n�;�D7`��U�g�����T���Z�Rv�P;4P��p�Q�Gu�I+���Qubd��p۲�o�W[��x��q.w�yyU�ٽ�a�!2kniƔ9�z
-4�ِ�qjJ�i> f쉾�|���u�#��՞�I�O0G4�&|���b�o�
-A���f���X}�`o��n;>J�iHx�@?���po��׮�CC
+Y�1]Q�ti�t���mPo���ڊ -O��D�cu���[<��oͽc5�}�x`��[^�J?7��s����+��ȶ��M�v��ǐ��9�e���l9J��ۑ�3?e�V~�E����6E����Eb�)��xdTk�^�BdAC?�����=Jcr�%�����l�~��)�aPʃ\�=[ݪ��{l��fFBݦ��]�_����<v�S��0��7�z|�-�$���ؑ����^ڐ��(�ReaK�s�|�c��d
+�K�W��

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+Version 1.2.10 - 19-Jul-2022
+----------------------------
+* Fixed a relative path traversal bug that could cause arbitrary files to be
+  loaded with require when used with RubyDataSource. Please refer to
+  https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for
+  details. CVE-2022-31163.
+* Ignore the SECURITY file from Arch Linux's tzdata package. #134.
 Version 1.2.9 - 16-Dec-2020
 ---------------------------

data/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2005-2020 Philip Ross
+Copyright (c) 2005-2022 Philip Ross
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

data/README.md CHANGED Viewed

@@ -1,7 +1,7 @@
 TZInfo - Ruby Timezone Library
 ==============================
-[![RubyGems](https://img.shields.io/gem/v/tzinfo)](https://rubygems.org/gems/tzinfo) [![Travis CI Build](https://img.shields.io/travis/com/tzinfo/tzinfo/1.2?logo=travis)](https://travis-ci.com/tzinfo/tzinfo) [![AppVeyor Build](https://img.shields.io/appveyor/build/philr/tzinfo/1.2?logo=appveyor)](https://ci.appveyor.com/project/philr/tzinfo/branch/1.2)
+[![RubyGems](https://img.shields.io/gem/v/tzinfo?logo=rubygems&label=Gem)](https://rubygems.org/gems/tzinfo) [![Tests](https://github.com/tzinfo/tzinfo/workflows/Tests/badge.svg?branch=1.2&event=push)](https://github.com/tzinfo/tzinfo/actions?query=workflow%3ATests+branch%3A1.2+event%3Apush)
 [TZInfo](https://tzinfo.github.io) provides daylight savings aware
 transformations between times in different timezones.

data/lib/tzinfo/ruby_data_source.rb CHANGED Viewed

@@ -38,7 +38,7 @@ module TZInfo
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')

data/lib/tzinfo/zoneinfo_data_source.rb CHANGED Viewed

@@ -87,6 +87,29 @@ module TZInfo
     # The default value of ZoneinfoDataSource.alternate_iso3166_tab_search_path.
     DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH = ['/usr/share/misc/iso3166.tab', '/usr/share/misc/iso3166'].freeze
+    # File and directories in the top level zoneinfo directory that will be
+    # excluded from the list of available time zones:
+    #
+    #   - +VERSION is included on Mac OS X.
+    #   - leapseconds is a list of leap seconds.
+    #   - localtime is the current local timezone (may be a link).
+    #   - posix, posixrules and right are directories containing other versions
+    #     of the zoneinfo files.
+    #   - SECURITY is included in the Arch Linux tzdata package.
+    #   - src is a directory containing the tzdata source included on Solaris.
+    #   - timeconfig is a symlink included on Slackware.
+    EXCLUDED_FILENAMES = [
+      '+VERSION',
+      'leapseconds',
+      'localtime',
+      'posix',
+      'posixrules',
+      'right',
+      'SECURITY',
+      'src',
+      'timeconfig'
+    ].freeze
     # Paths to be checked to find the system zoneinfo directory.
     @@search_path = DEFAULT_SEARCH_PATH.dup
@@ -352,16 +375,8 @@ module TZInfo
     # identifiers.
     def load_timezone_index
       index = []
-      # Ignoring particular files:
-      # +VERSION is included on Mac OS X.
-      # leapseconds is a list of leap seconds.
-        # localtime is the current local timezone (may be a link).
-      # posix, posixrules and right are directories containing other versions of the zoneinfo files.
-      # src is a directory containing the tzdata source included on Solaris.
-      # timeconfig is a symlink included on Slackware.
-      enum_timezones(nil, ['+VERSION', 'leapseconds', 'localtime', 'posix', 'posixrules', 'right', 'src', 'timeconfig']) do |identifier|
+      enum_timezones(nil, EXCLUDED_FILENAMES) do |identifier|
         index << identifier
       end

data/test/assets/payload.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ raise 'This should never be executed'

data/test/tc_ruby_data_source.rb CHANGED Viewed

@@ -48,9 +48,15 @@ class TCRubyDataSource < Minitest::Test
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/UTC')
+      @data_source.load_timezone_info('../definitions/UTC')
     end
   end
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do

data/test/tc_timezone.rb CHANGED Viewed

@@ -213,7 +213,7 @@ class TCTimezone < Minitest::Test
   end
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
   def test_get_nil

data/test/tc_zoneinfo_data_source.rb CHANGED Viewed

@@ -374,7 +374,7 @@ class TCZoneinfoDataSource < Minitest::Test
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/Europe/London')
+      @data_source.load_timezone_info('../zoneinfo/Europe/London')
     end
   end
@@ -818,6 +818,25 @@ class TCZoneinfoDataSource < Minitest::Test
     end
   end
+  def test_timezone_identifiers_ignored_security_file
+    # The Arch linux tzdata package includes a file named SECURITY giving
+    # instructions for reporting security-related bugs.
+    Dir.mktmpdir('tzinfo_test') do |dir|
+      FileUtils.touch(File.join(dir, 'zone.tab'))
+      FileUtils.touch(File.join(dir, 'iso3166.tab'))
+      FileUtils.cp(File.join(@data_source.zoneinfo_dir, 'EST'), File.join(dir, 'EST'))
+      File.open(File.join(dir, 'SECURITY'), 'w') do |f|
+        f.binmode
+        f.write("Please report any sensitive security-related bugs...\n")
+      end
+      data_source = ZoneinfoDataSource.new(dir)
+      assert_equal(['EST'], data_source.timezone_identifiers)
+    end
+  end
   def test_load_country_info
     info = @data_source.load_country_info('GB')
     assert_equal('GB', info.code)

data/test/test_utils.rb CHANGED Viewed

@@ -153,6 +153,22 @@ module Kernel
       actual_lines = process.readlines
       actual_lines = actual_lines.collect {|l| l.chomp}
+      # Ignore warnings from JRuby 1.7 and 9.0 on modern versions of Java:
+      # https://github.com/tzinfo/tzinfo/runs/1664655982#step:8:1893
+      #
+      # Ignore untaint deprecation warnings from Bundler 1 on Ruby 3.0.
+      actual_lines = actual_lines.reject do |l|
+        l.start_with?('unsupported Java version') ||
+          l.start_with?('WARNING: An illegal reflective access operation has occurred') ||
+          l.start_with?('WARNING: Illegal reflective access by') ||
+          l.start_with?('WARNING: Please consider reporting this to the maintainers of') ||
+          l.start_with?('WARNING: All illegal access operations will be denied in a future release') ||
+          l.start_with?('WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations') ||
+          l.start_with?('io/console on JRuby shells out to stty for most operations') ||
+          l =~ /\/bundler-1\..*\/lib\/bundler\/.*\.rb:\d+: warning: (Object|Pathname)#untaint is deprecated and will be removed in Ruby 3\.2\.\z/
+      end
       assert_equal(expected_lines, actual_lines)
     end
   end

data/tzinfo.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'tzinfo'
-  s.version = '1.2.9'
+  s.version = '1.2.10'
   s.summary = 'Daylight savings aware timezone library'
   s.description = 'TZInfo provides daylight savings aware transformations between times in different time zones.'
   s.author = 'Philip Ross'

data.tar.gz.sig CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tzinfo
 version: !ruby/object:Gem::Version
-  version: 1.2.9
+  version: 1.2.10
 platform: ruby
 authors:
 - Philip Ross
@@ -29,7 +29,7 @@ cert_chain:
   J3Zn/kSTjTekiaspyGbczC3PUaeJNxr+yCvR4sk71Xmk/GaKKGOHedJ1uj/LAXrA
   MR0mpl7b8zCg0PFC1J73uw==
   -----END CERTIFICATE-----
-date: 2020-12-16 00:00:00.000000000 Z
+date: 2022-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thread_safe
@@ -92,6 +92,7 @@ files:
 - lib/tzinfo/zoneinfo_country_info.rb
 - lib/tzinfo/zoneinfo_data_source.rb
 - lib/tzinfo/zoneinfo_timezone_info.rb
+- test/assets/payload.rb
 - test/tc_annual_rules.rb
 - test/tc_country.rb
 - test/tc_country_index_definition.rb
@@ -190,7 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Daylight savings aware timezone library

metadata.gz.sig CHANGED Viewed

Binary file