Note: this issue was submitted to security@ due to its potential as a DoS vector on 2021-05-08, but I have not received a response (excluding the automated email). It is over 88 days since the report, so I am now reporting this publicly.

Issue: zoneinfo.ZoneInfo does not check for Windows device names on Windows. For example, a timezone "NUL" do not raise ZoneInfoNotFoundError; instead, it raises ValueError ("Invalid TZif file: magic not found").

If the timezone passed is "CON", then the program would read the content from stdin, and parse it as tzdata file.

This can be abused for a DoS attack for programs that call ZoneInfo with untrusted timezone; for example, since reading CON is a blocking operation in the asyncio world, a web server that calls ZoneInfo with untrusted timezone input would stop its job and no future connections will succeed.

Note that this bug only occurs on Windows for obvious reasons.

Repro case:
>>> from zoneinfo import ZoneInfo
>>> ZoneInfo("CON")

This is related to bpo-41530 where timezone __init__.py does not raise ZoneInfoNotFoundError.

And finally, this happens with other file-based operations (and they are probably intentional); however, zoneinfo is designed to be secure by default, for example by disallowing path traversals. The interactions with Windows device names are not documented at all in the references. It's a common practice to let the users choose their preferred timezone in web applications, and such programs are expected to call ZoneInfo constructor with externally provided string. Timezone calculation should never cause a web server to stop to read stdin.