Package: libdatetime-timezone-perl
Version: 1.63-1+2013h
Severity: normal
Tags: upstream patch
Dear Maintainer,
Bugzilla versions 4.2 and 4.4 both malfunction under the latest Perl (5.18.2-2)
and libdatetime-timezone-perl (1.63-1+2013h) with the message "Cannot determine
local time zone".
This occurs because Bugzilla runs under "Taint Mode", where values from
untrusted sources are marked as 'tainted'; certain risky operations (eval,
exec/system, open file for writing) will fail when their arguments are tainted.
This includes the mechanism used by the constructor for DateTime::TimeZone.
When DateTime::TimeZone::Local::Unix loads the time zone name from
/etc/timezone, the zone name is tainted; then, when the name is passed to
DateTime::TimeZone->new, it fails.
DateTime::TimeZone->new already securely validates the zone name before using
it. Attached is a patch (created using quilt) that modifies that validation
code such that it also untaints the zone name at the same time. It also adds a
new test to the test suite to verify correct operation.
An equivalent patch has been submitted directly to the author of
DateTime::TimeZone.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- /dev/null
+++ b/t/22taintmode.t
@@ -0,0 +1,9 @@
+#!perl -wT
+use strict;
+use warnings;
+use Test::More 0.88;
+
+use_ok('DateTime::TimeZone::Local');
+ok( ref DateTime::TimeZone::Local->TimeZone );
+
+done_testing();
--- a/lib/DateTime/TimeZone.pm
+++ b/lib/DateTime/TimeZone.pm
@@ -70,7 +70,7 @@
my $real_class = "DateTime::TimeZone::$subclass";
die "The timezone '$p{name}' in an invalid name.\n"
- unless $real_class =~ /^\w+(::\w+)*$/;
+ unless ($real_class) = ($real_class =~ /^(\w+(?:::\w+)*)$/);
unless ( $real_class->can('instance') ) {
my $e = do {
