[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

Wed, 04 Aug 2021 07:37:37 -0700 


New submission from apple502j <apple5...@yahoo.co.jp>:

Note: this issue was submitted to security@ due to its potential as a DoS 
vector on 2021-05-08, but I have not received a response (excluding the 
automated email). It is over 88 days since the report, so I am now reporting 
this publicly.

Issue: zoneinfo.ZoneInfo does not check for Windows device names on Windows. 
For example, a timezone "NUL" do not raise ZoneInfoNotFoundError; instead, it 
raises ValueError ("Invalid TZif file: magic not found").

If the timezone passed is "CON", then the program would read the content from 
stdin, and parse it as tzdata file.

This can be abused for a DoS attack for programs that call ZoneInfo with 
untrusted timezone; for example, since reading CON is a blocking operation in 
the asyncio world, a web server that calls ZoneInfo with untrusted timezone 
input would stop its job and no future connections will succeed.

Note that this bug only occurs on Windows for obvious reasons.

Repro case:
>>> from zoneinfo import ZoneInfo
>>> ZoneInfo("CON")

This is related to bpo-41530 where timezone __init__.py does not raise 
ZoneInfoNotFoundError.

And finally, this happens with other file-based operations (and they are 
probably intentional); however, zoneinfo is designed to be secure by default, 
for example by disallowing path traversals. The interactions with Windows 
device names are not documented at all in the references. It's a common 
practice to let the users choose their preferred timezone in web applications, 
and such programs are expected to call ZoneInfo constructor with externally 
provided string. Timezone calculation should never cause a web server to stop 
to read stdin.

----------
components: Library (Lib)
messages: 398900
nosy: apple502j
priority: normal
severity: normal
status: open
title: zoneinfo.ZoneInfo does not check for Windows device names
type: behavior
versions: Python 3.10, Python 3.11, Python 3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44829>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to