New submission from apple502j <[email protected]>:
Note: this issue was submitted to security@ due to its potential as a DoS
vector on 2021-05-08, but I have not received a response (excluding the
automated email). It is over 88 days since the report, so I am now reporting
this publicly.
Issue: zoneinfo.ZoneInfo does not check for Windows device names on Windows.
For example, a timezone "NUL" do not raise ZoneInfoNotFoundError; instead, it
raises ValueError ("Invalid TZif file: magic not found").
If the timezone passed is "CON", then the program would read the content from
stdin, and parse it as tzdata file.
This can be abused for a DoS attack for programs that call ZoneInfo with
untrusted timezone; for example, since reading CON is a blocking operation in
the asyncio world, a web server that calls ZoneInfo with untrusted timezone
input would stop its job and no future connections will succeed.
Note that this bug only occurs on Windows for obvious reasons.
Repro case:
>>> from zoneinfo import ZoneInfo
>>> ZoneInfo("CON")
This is related to bpo-41530 where timezone __init__.py does not raise
ZoneInfoNotFoundError.
And finally, this happens with other file-based operations (and they are
probably intentional); however, zoneinfo is designed to be secure by default,
for example by disallowing path traversals. The interactions with Windows
device names are not documented at all in the references. It's a common
practice to let the users choose their preferred timezone in web applications,
and such programs are expected to call ZoneInfo constructor with externally
provided string. Timezone calculation should never cause a web server to stop
to read stdin.
----------
components: Library (Lib)
messages: 398900
nosy: apple502j
priority: normal
severity: normal
status: open
title: zoneinfo.ZoneInfo does not check for Windows device names
type: behavior
versions: Python 3.10, Python 3.11, Python 3.9
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue44829>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
