tzinfo 1.2.9 → 1.2.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ddfbcb761e22870203af94d9cd3d47254ce0487d49ab51d804190d7d1961c125
-  data.tar.gz: f1e1f7eb70f406974d3fdbcda4cb78a6e2fa0842c0a6ec912fe80986a59e57fa
+  metadata.gz: e6364432a0aef34ccf3b6b1ecad65dd6f7f13843ac503cbcea1f693b74c96b46
+  data.tar.gz: 825fd6905101f51fa700dfa682490851952de8a692c03954d12f38944f8814c8
 SHA512:
-  metadata.gz: 5fe024d4d8c134dc324dedab7e6bca66293cf52e80ca16a3d32222e961dd5b563eead2bd110a72a212e7cde0e8ad0c87bc075ce19ad06e3d46ee0b3c3fb45c0a
-  data.tar.gz: 2c9c48dd44315d61129850ee160932f64afb1e90d8ca82dcd9388b2a79699c3b140340c9541ef822ba02d0791bc4df7c1c7e5a15c9d5840d37f177c1e5942242
+  metadata.gz: ef4b1b6a189bbf011294210d2e0651f41bc82e1db8fe342c9f8dbcefd473e8b49b9affa67bc9a395a5831b376db8d37b5942cfade1dacf5485f23ce3d6f78a46
+  data.tar.gz: 2871fbd7aded391c88a74724138073675690710dfca6adbbbe610ec4395e8d6631fad93b22d684650d04d9affeed0ab64a1d7489f766eb9ab1996556329c6ddc

checksums.yaml.gz.sig

@@ -1,3 +1,2 @@
-3�y�=��Q��h�n�;�D7`��U�g�����T���Z�Rv�P;4P��p�Q�Gu�I+���Qubd��p۲�o�W[��x��q.w�yyU�ٽ�a�!2kniƔ9�z
-4�ِ�qjJ�i> f쉾�|���u�#��՞�I�O0G
4�&|���b�o�
-A���f���X}�`o��n;>J�iHx�@?���po
��׮�C
C
+Y�1]Q�ti�t���mPo���ڊ -O��D�cu���[<��oͽc5�}�x`��[^�J?7��s����+��ȶ��M�v��ǐ��9�e���l9J��ۑ�3?e�V~�E����6E����Eb�)��xdTk�^�BdAC?�����=Jcr�%�����l�~��)�aPʃ\�=[ݪ��{l��fFBݦ��]�_����<v�S��0��7�z|�-�$���ؑ����^ڐ��(�ReaK�s�|�c��d
+�K�W��

data/CHANGES.md

@@ -1,3 +1,13 @@
+Version 1.2.10 - 19-Jul-2022
+----------------------------
+
+* Fixed a relative path traversal bug that could cause arbitrary files to be
+  loaded with require when used with RubyDataSource. Please refer to
+  https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for
+  details. CVE-2022-31163.
+* Ignore the SECURITY file from Arch Linux's tzdata package. #134.
+
+
 Version 1.2.9 - 16-Dec-2020
 ---------------------------
 

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2005-2020 Philip Ross
+Copyright (c) 2005-2022 Philip Ross
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of 
 this software and associated documentation files (the "Software"), to deal in 

data/README.md

@@ -1,7 +1,7 @@
 TZInfo - Ruby Timezone Library
 ==============================
 
-[![RubyGems](https://img.shields.io/gem/v/tzinfo)](https://rubygems.org/gems/tzinfo) [![Travis CI Build](https://img.shields.io/travis/com/tzinfo/tzinfo/1.2?logo=travis)](https://travis-ci.com/tzinfo/tzinfo) [![AppVeyor Build](https://img.shields.io/appveyor/build/philr/tzinfo/1.2?logo=appveyor)](https://ci.appveyor.com/project/philr/tzinfo/branch/1.2)
+[![RubyGems](https://img.shields.io/gem/v/tzinfo?logo=rubygems&label=Gem)](https://rubygems.org/gems/tzinfo) [![Tests](https://github.com/tzinfo/tzinfo/workflows/Tests/badge.svg?branch=1.2&event=push)](https://github.com/tzinfo/tzinfo/actions?query=workflow%3ATests+branch%3A1.2+event%3Apush)
 
 [TZInfo](https://tzinfo.github.io) provides daylight savings aware
 transformations between times in different timezones.

data/lib/tzinfo/ruby_data_source.rb

@@ -38,7 +38,7 @@ module TZInfo
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
       
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
       

data/lib/tzinfo/zoneinfo_data_source.rb

@@ -87,6 +87,29 @@ module TZInfo
     # The default value of ZoneinfoDataSource.alternate_iso3166_tab_search_path.
     DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH = ['/usr/share/misc/iso3166.tab', '/usr/share/misc/iso3166'].freeze
     
+    # File and directories in the top level zoneinfo directory that will be
+    # excluded from the list of available time zones:
+    #
+    #   - +VERSION is included on Mac OS X.
+    #   - leapseconds is a list of leap seconds.
+    #   - localtime is the current local timezone (may be a link).
+    #   - posix, posixrules and right are directories containing other versions
+    #     of the zoneinfo files.
+    #   - SECURITY is included in the Arch Linux tzdata package.
+    #   - src is a directory containing the tzdata source included on Solaris.
+    #   - timeconfig is a symlink included on Slackware.
+    EXCLUDED_FILENAMES = [
+      '+VERSION',
+      'leapseconds',
+      'localtime',
+      'posix',
+      'posixrules',
+      'right',
+      'SECURITY',
+      'src',
+      'timeconfig'
+    ].freeze
+
     # Paths to be checked to find the system zoneinfo directory.
     @@search_path = DEFAULT_SEARCH_PATH.dup
     
@@ -352,16 +375,8 @@ module TZInfo
     # identifiers.
     def load_timezone_index
       index = []
-      
-      # Ignoring particular files:
-      # +VERSION is included on Mac OS X.
-      # leapseconds is a list of leap seconds.
-        # localtime is the current local timezone (may be a link).
-      # posix, posixrules and right are directories containing other versions of the zoneinfo files.
-      # src is a directory containing the tzdata source included on Solaris.
-      # timeconfig is a symlink included on Slackware.
-      
-      enum_timezones(nil, ['+VERSION', 'leapseconds', 'localtime', 'posix', 'posixrules', 'right', 'src', 'timeconfig']) do |identifier|
+
+      enum_timezones(nil, EXCLUDED_FILENAMES) do |identifier|
         index << identifier
       end
       

data/test/assets/payload.rb

@@ -0,0 +1 @@
+raise 'This should never be executed'

data/test/tc_ruby_data_source.rb

@@ -48,9 +48,15 @@ class TCRubyDataSource < Minitest::Test
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/UTC')
+      @data_source.load_timezone_info('../definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
   
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do

data/test/tc_timezone.rb

@@ -213,7 +213,7 @@ class TCTimezone < Minitest::Test
   end
   
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
   
   def test_get_nil

data/test/tc_zoneinfo_data_source.rb

@@ -374,7 +374,7 @@ class TCZoneinfoDataSource < Minitest::Test
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/Europe/London')
+      @data_source.load_timezone_info('../zoneinfo/Europe/London')
     end
   end
   
@@ -818,6 +818,25 @@ class TCZoneinfoDataSource < Minitest::Test
     end
   end
   
+  def test_timezone_identifiers_ignored_security_file
+    # The Arch linux tzdata package includes a file named SECURITY giving
+    # instructions for reporting security-related bugs.
+
+    Dir.mktmpdir('tzinfo_test') do |dir|
+      FileUtils.touch(File.join(dir, 'zone.tab'))
+      FileUtils.touch(File.join(dir, 'iso3166.tab'))
+      FileUtils.cp(File.join(@data_source.zoneinfo_dir, 'EST'), File.join(dir, 'EST'))
+
+      File.open(File.join(dir, 'SECURITY'), 'w') do |f|
+        f.binmode
+        f.write("Please report any sensitive security-related bugs...\n")
+      end
+
+      data_source = ZoneinfoDataSource.new(dir)
+      assert_equal(['EST'], data_source.timezone_identifiers)
+    end
+  end
+
   def test_load_country_info
     info = @data_source.load_country_info('GB')
     assert_equal('GB', info.code)

data/test/test_utils.rb

@@ -153,6 +153,22 @@ module Kernel
       
       actual_lines = process.readlines
       actual_lines = actual_lines.collect {|l| l.chomp}
+
+      # Ignore warnings from JRuby 1.7 and 9.0 on modern versions of Java:
+      # https://github.com/tzinfo/tzinfo/runs/1664655982#step:8:1893
+      #
+      # Ignore untaint deprecation warnings from Bundler 1 on Ruby 3.0.
+      actual_lines = actual_lines.reject do |l|
+        l.start_with?('unsupported Java version') ||
+          l.start_with?('WARNING: An illegal reflective access operation has occurred') ||
+          l.start_with?('WARNING: Illegal reflective access by') ||
+          l.start_with?('WARNING: Please consider reporting this to the maintainers of') ||
+          l.start_with?('WARNING: All illegal access operations will be denied in a future release') ||
+          l.start_with?('WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations') ||
+          l.start_with?('io/console on JRuby shells out to stty for most operations') ||
+          l =~ /\/bundler-1\..*\/lib\/bundler\/.*\.rb:\d+: warning: (Object|Pathname)#untaint is deprecated and will be removed in Ruby 3\.2\.\z/
+      end
+
       assert_equal(expected_lines, actual_lines)
     end
   end

data/tzinfo.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'tzinfo'
-  s.version = '1.2.9'
+  s.version = '1.2.10'
   s.summary = 'Daylight savings aware timezone library'
   s.description = 'TZInfo provides daylight savings aware transformations between times in different time zones.'
   s.author = 'Philip Ross'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tzinfo
 version: !ruby/object:Gem::Version
-  version: 1.2.9
+  version: 1.2.10
 platform: ruby
 authors:
 - Philip Ross
@@ -29,7 +29,7 @@ cert_chain:
   J3Zn/kSTjTekiaspyGbczC3PUaeJNxr+yCvR4sk71Xmk/GaKKGOHedJ1uj/LAXrA
   MR0mpl7b8zCg0PFC1J73uw==
   -----END CERTIFICATE-----
-date: 2020-12-16 00:00:00.000000000 Z
+date: 2022-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thread_safe
@@ -92,6 +92,7 @@ files:
 - lib/tzinfo/zoneinfo_country_info.rb
 - lib/tzinfo/zoneinfo_data_source.rb
 - lib/tzinfo/zoneinfo_timezone_info.rb
+- test/assets/payload.rb
 - test/tc_annual_rules.rb
 - test/tc_country.rb
 - test/tc_country_index_definition.rb
@@ -190,7 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Daylight savings aware timezone library