Bugfix: Prevent cleartext transmission of tz data during build

grunt build script downloaded tz data via unencrypted ftp, which could enable an attacker to MITM and provide a bogus tz data, compromising the build pipeline or the whole build moment. Switch to using an https endpoing provided by IANA to avoid this. Advisory: GHSA-v78c-4p63-2j6c
moment · Aug 23, 2022 · 7915ac5 · 7915ac5
1 parent ce955a3
commit 7915ac5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tasks/data-download.js b/tasks/data-download.js
@@ -9,7 +9,7 @@ module.exports = function (grunt) {
 
 		var done  = this.async(),
 			src   = (version === 'latest' ?
-				'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz' :
+				'https://data.iana.org/time-zones/tzdata-latest.tar.gz' :
 				'https://data.iana.org/time-zones/releases/tzdata' + version + '.tar.gz'),
 			curl  = path.resolve('temp/curl', version, 'data.tar.gz'),
 			dest  = path.resolve('temp/download', version);