From 048bd776384d5765f5c72438cd1ded043c264357 Mon Sep 17 00:00:00 2001
From: Jose Quintana <joseluisquintana20@gmail.com>
Date: Sun, 25 Sep 2022 22:23:55 +0200
Subject: [PATCH] fix: potential segfault in the time crate `RUSTSEC-2020-0071`

migrating `time` to latest `chrono` 0.4

fixes #142
---
 Cargo.lock               | 64 +++++++++++++++++++++++++++++++++++++++-
 Cargo.toml               |  2 +-
 src/directory_listing.rs | 15 +++++++---
 3 files changed, 75 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f6865e85..e4d342a0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -32,6 +32,15 @@ dependencies = [
  "alloc-no-stdlib",
 ]
 
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "ansi_term"
 version = "0.12.1"
@@ -170,6 +179,21 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "chrono"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1"
+dependencies = [
+ "iana-time-zone",
+ "js-sys",
+ "num-integer",
+ "num-traits",
+ "time",
+ "wasm-bindgen",
+ "winapi",
+]
+
 [[package]]
 name = "cipher"
 version = "0.3.0"
@@ -190,6 +214,12 @@ dependencies = [
  "unicode-width",
 ]
 
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
+
 [[package]]
 name = "cpufeatures"
 version = "0.2.5"
@@ -495,6 +525,19 @@ dependencies = [
  "want",
 ]
 
+[[package]]
+name = "iana-time-zone"
+version = "0.1.50"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd911b35d940d2bd0bea0f9100068e5b97b51a1cbe13d13382f132e0365257a0"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "js-sys",
+ "wasm-bindgen",
+ "winapi",
+]
+
 [[package]]
 name = "indexmap"
 version = "1.9.1"
@@ -614,6 +657,25 @@ dependencies = [
  "windows-sys",
 ]
 
+[[package]]
+name = "num-integer"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+dependencies = [
+ "autocfg",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.13.1"
@@ -954,6 +1016,7 @@ dependencies = [
  "async-compression",
  "bcrypt",
  "bytes",
+ "chrono",
  "form_urlencoded",
  "futures-util",
  "globset",
@@ -975,7 +1038,6 @@ dependencies = [
  "signal-hook-tokio",
  "structopt",
  "tikv-jemallocator",
- "time",
  "tokio",
  "tokio-rustls",
  "tokio-util",
diff --git a/Cargo.toml b/Cargo.toml
index 6a47e8a0..8d373198 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -50,7 +50,7 @@ serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_ignored = "0.1"
 serde_repr = "0.1"
 structopt = { version = "0.3", default-features = false }
-time = { version = "0.1", default-features = false }
+chrono = "0.4"
 tokio = { version = "1", default-features = false, features = ["rt-multi-thread", "macros", "fs", "io-util", "signal"] }
 tokio-rustls = { version = "0.23" }
 tokio-util = { version = "0.7", default-features = false, features = ["io"] }
diff --git a/src/directory_listing.rs b/src/directory_listing.rs
index 5f48f79e..0e12b1c5 100644
--- a/src/directory_listing.rs
+++ b/src/directory_listing.rs
@@ -1,3 +1,4 @@
+use chrono::{DateTime, Local, NaiveDateTime, Utc};
 use futures_util::future::Either;
 use futures_util::{future, FutureExt};
 use headers::{ContentLength, ContentType, HeaderMapExt};
@@ -145,7 +146,7 @@ async fn read_dir_entries(
         }
 
         let modified = match parse_last_modified(meta.modified()?) {
-            Ok(tm) => tm.to_local().strftime("%F %T")?.to_string(),
+            Ok(local_dt) => local_dt.format("%F %T").to_string(),
             Err(err) => {
                 tracing::error!("error determining file last modified: {:?}", err);
                 String::from("-")
@@ -310,7 +311,9 @@ fn sort_files(
     (name, last_modified, size)
 }
 
-fn parse_last_modified(modified: SystemTime) -> Result<time::Tm, Box<dyn std::error::Error>> {
+fn parse_last_modified(
+    modified: SystemTime,
+) -> Result<DateTime<Local>, Box<dyn std::error::Error>> {
     let since_epoch = modified.duration_since(UNIX_EPOCH)?;
     // HTTP times don't have nanosecond precision, so we truncate
     // the modification time.
@@ -321,6 +324,10 @@ fn parse_last_modified(modified: SystemTime) -> Result<time::Tm, Box<dyn std::er
     // the modification time of a file with greater than second
     // precision appears to be something that only is possible to
     // do on Linux.
-    let ts = time::Timespec::new(since_epoch.as_secs() as i64, 0);
-    Ok(time::at_utc(ts))
+    let utc_dt = NaiveDateTime::from_timestamp(
+        since_epoch.as_secs() as i64,
+        since_epoch.subsec_nanos() as u32,
+    );
+    let local_dt = DateTime::<Utc>::from_utc(utc_dt, Utc).with_timezone(&Local);
+    Ok(local_dt)
 }