[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

2021-08-04 Thread Eryk Sun 


Change by Eryk Sun :


--
Removed message: https://bugs.python.org/msg398916

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

2021-08-04 Thread Paul Ganssle 


Paul Ganssle  added the comment:

Sorry you didn't receive a response to your security@ email, I guess my 
response just went to the PSRT, not to you as well. I believe we determined 
that this was an issue in importlib.resources generally, not specific to 
zoneinfo.

I think `importlib.resources.open_binary` should check if a resource is a file 
with `os.isfile` before opening it. That will solve the issue in zoneinfo and 
other similar situations.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

2021-08-04 Thread Eryk Sun 


Eryk Sun  added the comment:

In zoneinfo._tzpath, _validate_tzfile_path() depends on os.path.normpath(). I 
think the Windows implementation of normpath() in the ntpath module should be 
extended to normalize reserved names in the final path component in the same 
manner as WinAPI GetFullPathNameW(). 

Alternatively, an isreserved() function could be added to os.path. This would 
allow _validate_tzfile_path() to raise a more informative exception for a 
reserved name.

Reserved names:

GetFullPathNameW() strips trailing spaces and dots from the final path 
component. This applies to all path types. For example:

>>> nt._getfullpathname('?\\UNC/server/share/spam. . .')
'?\\UNC\\server\\share\\spam'

GetFullPathNameW() reserves DOS device names in the final component of a 
relative path or drive path -- but not in a UNC path or device path. The 
following case-insensitive names are reserved:

* NUL
* CON
* CONIN$
* CONOUT$
* AUX
* PRN
* COM<1-9>
* LPT<1-9>

A reserved device name begins with one of the above base names plus an optional 
suffix. The suffix is zero or more spaces followed optionally by a "." or ":" 
and zero or more characters. The normalized result is a ".\\" device path 
for the base device name. For example: 

>>> nt._getfullpathname('C:/Temp/con . spam')
'.\\con'
>>> nt._getfullpathname('C:/Temp/con : spam')
'.\\con'

--
components: +Windows
nosy: +eryksun, paul.moore, steve.dower, tim.golden, zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

2021-08-04 Thread Karthikeyan Singaravelan 


Change by Karthikeyan Singaravelan :


--
nosy: +belopolsky, p-ganssle

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44829] zoneinfo.ZoneInfo does not check for Windows device names

2021-08-04 Thread apple502j 


New submission from apple502j :

Note: this issue was submitted to security@ due to its potential as a DoS 
vector on 2021-05-08, but I have not received a response (excluding the 
automated email). It is over 88 days since the report, so I am now reporting 
this publicly.

Issue: zoneinfo.ZoneInfo does not check for Windows device names on Windows. 
For example, a timezone "NUL" do not raise ZoneInfoNotFoundError; instead, it 
raises ValueError ("Invalid TZif file: magic not found").

If the timezone passed is "CON", then the program would read the content from 
stdin, and parse it as tzdata file.

This can be abused for a DoS attack for programs that call ZoneInfo with 
untrusted timezone; for example, since reading CON is a blocking operation in 
the asyncio world, a web server that calls ZoneInfo with untrusted timezone 
input would stop its job and no future connections will succeed.

Note that this bug only occurs on Windows for obvious reasons.

Repro case:
>>> from zoneinfo import ZoneInfo
>>> ZoneInfo("CON")

This is related to bpo-41530 where timezone __init__.py does not raise 
ZoneInfoNotFoundError.

And finally, this happens with other file-based operations (and they are 
probably intentional); however, zoneinfo is designed to be secure by default, 
for example by disallowing path traversals. The interactions with Windows 
device names are not documented at all in the references. It's a common 
practice to let the users choose their preferred timezone in web applications, 
and such programs are expected to call ZoneInfo constructor with externally 
provided string. Timezone calculation should never cause a web server to stop 
to read stdin.

--
components: Library (Lib)
messages: 398900
nosy: apple502j
priority: normal
severity: normal
status: open
title: zoneinfo.ZoneInfo does not check for Windows device names
type: behavior
versions: Python 3.10, Python 3.11, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com