https://issues.dlang.org/show_bug.cgi?id=21409
Berni44 <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Berni44 <[email protected]> --- In my opinion, the problem is, that the first parameter of getTimeZone is the name of the zone, not a path. But it is just appended (without check) to the second parameter which is a path (and has a default). I think, it would be ok, if someone wrote getTimeZone("Europe", "/etc/passwd") and thus escaping the "/usr/share/zoneinfo/". It's not the task of a library to prevent such things, because it might be, that someone intentionally put its timezone data at that place. In this case it's the responsibility of the OS, the programmer (and the user if not identical to the programmer) to make sure, that this does not lead to any harm. Anyway, the name should be checked for correct syntax, so I leave this open. --
