May 9, 2005
8:05 p.m.
<<On Mon, 09 May 2005 12:23:24 -0700, Paul Eggert <eggert@CS.UCLA.EDU> said:
"Olson, Arthur David (NIH/NCI)" <olsona@dc37a.nci.nih.gov> writes:
If the TZ environment variable needs to be checked for mischief-making time zone abbreviations, the same check needs to be applied to values derived from time zone files
Yes, quite right. Presumably the same check should be applied to each.
My argument that the correct way to handle this would be to expect security-sensitive applications to do: unsetenv("TZ"); tzset(); ...which they ought to do anyway. A slight improvement, for those systems which implement issetugid(), would be for the library routines to ignore the setting of TZ if this returns true. -GAWollman