search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.54k stars 1.43k forks source link

`TZ` environment variable being set breaks TOTPs #10802

Open jhmaster2000 opened 3 months ago

jhmaster2000 commented 3 months ago

Overview

Having the TZ environment variable set to any valid timezone that is not exactly the same as your system will break TOTPs, setting this variable is done on purpose to override the timezone used by certain programs like Node.js, commonly TZ=UTC as it was in my case, but a TOTP program should not listen to this and use the true system time unconditionally, for reference Authy Desktop (from which I am migrating to KeepassXC from) worked correctly regardless of the TZ variable being set.

Steps to Reproduce

  1. With KeepassXC closed, set the TZ environment variable to UTC (unless you actually live in the UTC timezone, then set it to anything else like Etc/GMT+5)
  2. Launch KeepassXC
  3. Notice your TOTPs are incorrect (try using one and it won't work)

Expected Behavior

Like Authy Desktop, KeepassXC should have ignored the TZ variable and still given correct TOTP codes.

Actual Behavior

KeepassXC is fooled by the TZ variable and gives wrong TOTP codes.

Context

Installed through Winget

KeePassXC - Version 2.7.8 Revision: f6757d3

Operating system: Windows 10 Version 2009 CPU architecture: x86_64 Kernel: winnt 10.0.19045

phoerious commented 3 months ago

Windows stores the hardware system time as local time, not UTC. So setting TZ to anything other than your actual timezone is kind of expected to give the wrong results. We use Qt's QDateTime, which handles all that transparently. The only thing we could do is unset TZ before retrieving the time, but that would just shift the problem from time being wrong if TZ is wrong to time being wrong if TZ is correct (but different from system time).

jhmaster2000 commented 3 months ago

TZ is not a variable that is normally set, Windows doesn't store its own timezone in use there, it is an override variable for power users to use, the majority 99% of users will not have it set to anything, and a lot of programs including Windows itself don't respect the variable, so a system with incorrect Windows time using TZ to "correct" it isn't even really possible, it would already be broken in a lot of other ways.

I reckon unsetting it for KeepassXC's env would be fine. At least if even despite all the above you still feel it'd risk breaking anything (but it wouldn't) could it be made a setting to ignore the variable or not?

JonatanWick commented 2 months ago

Is my issue #10807 related in any way?

droidmonkey commented 2 months ago

No