Bugfix: Prevent cleartext transmission of tz data during build

ichernev · ichernev · commit 7915ac567ab1 · 2022-08-23T15:31:12.000+03:00
grunt build script downloaded tz data via unencrypted ftp, which could enable an attacker to MITM and provide a bogus tz data, compromising the build pipeline or the whole build moment. Switch to using an https endpoing provided by IANA to avoid this. Advisory: GHSA-v78c-4p63-2j6c
diff --git a/tasks/data-download.js b/tasks/data-download.js
@@ -9,7 +9,7 @@ module.exports = function (grunt) {
 
 		var done  = this.async(),
 			src   = (version === 'latest' ?
-				'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz' :
+				'https://data.iana.org/time-zones/tzdata-latest.tar.gz' :
 				'https://data.iana.org/time-zones/releases/tzdata' + version + '.tar.gz'),
 			curl  = path.resolve('temp/curl', version, 'data.tar.gz'),
 			dest  = path.resolve('temp/download', version);
