Merge branch 'fix-directory-traversal-1.2' into 1.2

lib/tzinfo/ruby_data_source.rb

@@ -38,7 +38,7 @@ def initialize
  # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
  # identifier is invalid.
  def load_timezone_info(identifier)
- raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+ raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
 
  identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
 

test/assets/payload.rb

@@ -0,0 +1 @@
+raise 'This should never be executed'

test/tc_ruby_data_source.rb

@@ -48,9 +48,15 @@ def test_load_timezone_info_does_not_exist
 
  def test_load_timezone_info_invalid
  assert_raises(InvalidTimezoneIdentifier) do
- @data_source.load_timezone_info('../Definitions/UTC')
+ @data_source.load_timezone_info('../definitions/UTC')
  end
  end
+
+ def test_load_timezone_info_directory_traversal
+ test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+ payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+ assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+ end
 
  def test_load_timezone_info_nil
  assert_raises(InvalidTimezoneIdentifier) do

test/tc_timezone.rb

@@ -213,7 +213,7 @@ def test_get_not_exist
  end
 
  def test_get_invalid
- assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+ assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
  end
 
  def test_get_nil

test/tc_zoneinfo_data_source.rb

@@ -374,7 +374,7 @@ def test_load_timezone_info_does_not_exist
 
  def test_load_timezone_info_invalid
  assert_raises(InvalidTimezoneIdentifier) do
- @data_source.load_timezone_info('../Definitions/Europe/London')
+ @data_source.load_timezone_info('../zoneinfo/Europe/London')
  end
  end