olsona@dc37a.nci.nih.gov said:

If the TZ environment variable needs to be checked for mischief-making time zone abbreviations, the same check needs to be applied to values derived from time zone files (since, at least on some systems, users can create arbitrary files and arrange for them to be used with an appropriate TZ setting.)

I always personally considered *that* a bit of a security bug. In the Tcl implementation, I restricted named timezones to combinations of alphanumerics, slashes and underscores, without a leading slash; in this way, paths from the root or from '..' couldn't be constructed. It's arguable that it's a feature rather than a bug, but I decided to err on the side of caution, since a programmer can augment the search path for the files if desired. -- 73 de ke9tv/2, Kevin KENNY GE Corporate Research & Development kennykb@crd.ge.com P. O. Box 8, Bldg. K-1, Rm. 5B36A Schenectady, New York 12301-0008 USA