DateTime:FormatUniversalTime and DateTime:FormatLocalTime allow you to pass a locale as an argument. This locale gets interpreted as a filepath, allowing a string like .. to go up a folder level. To my knowledge, this poses no threat, because it can only read json files, but on the off chance it can be used maliciously, I’m reporting it.
To replicate this issue:
- Navigate to the latest version folder
- Go to
content\configs\DateTimeLocaleConfigs - Copy a locale json (eg
en-ca) - Paste it in
content - Change it slightly (example in video below)
- Run one of the format functions with the locale string prefixed with
../../(e.g.../../en-ca) - Observe that the config file has been read from
contentinstead ofDateTimeLocaleConfigs
For reasons I cannot explain, en-us doesn’t seem to work.
To better demonstrate what I mean, here’s a video:
This is on Roblox Studio version 0.438.0.407270, 64-bit. Hopefully the video makes it clear what’s going on.