Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TZ environment variable being set breaks TOTPs #10802

Open
jhmaster2000 opened this issue May 24, 2024 · 4 comments
Open

TZ environment variable being set breaks TOTPs #10802

jhmaster2000 opened this issue May 24, 2024 · 4 comments
Labels
bug feature: TOTP platform: Windows

Comments

@jhmaster2000
Copy link

Overview

Having the TZ environment variable set to any valid timezone that is not exactly the same as your system will break TOTPs, setting this variable is done on purpose to override the timezone used by certain programs like Node.js, commonly TZ=UTC as it was in my case, but a TOTP program should not listen to this and use the true system time unconditionally, for reference Authy Desktop (from which I am migrating to KeepassXC from) worked correctly regardless of the TZ variable being set.

Steps to Reproduce

  1. With KeepassXC closed, set the TZ environment variable to UTC (unless you actually live in the UTC timezone, then set it to anything else like Etc/GMT+5)
  2. Launch KeepassXC
  3. Notice your TOTPs are incorrect (try using one and it won't work)

Expected Behavior

Like Authy Desktop, KeepassXC should have ignored the TZ variable and still given correct TOTP codes.

Actual Behavior

KeepassXC is fooled by the TZ variable and gives wrong TOTP codes.

Context

Installed through Winget

KeePassXC - Version 2.7.8
Revision: f6757d3

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.19045
@phoerious
Copy link
Member

Windows stores the hardware system time as local time, not UTC. So setting TZ to anything other than your actual timezone is kind of expected to give the wrong results. We use Qt's QDateTime, which handles all that transparently. The only thing we could do is unset TZ before retrieving the time, but that would just shift the problem from time being wrong if TZ is wrong to time being wrong if TZ is correct (but different from system time).

@jhmaster2000
Copy link
Author

TZ is not a variable that is normally set, Windows doesn't store its own timezone in use there, it is an override variable for power users to use, the majority 99% of users will not have it set to anything, and a lot of programs including Windows itself don't respect the variable, so a system with incorrect Windows time using TZ to "correct" it isn't even really possible, it would already be broken in a lot of other ways.

I reckon unsetting it for KeepassXC's env would be fine. At least if even despite all the above you still feel it'd risk breaking anything (but it wouldn't) could it be made a setting to ignore the variable or not?

@JonatanWick
Copy link

JonatanWick commented May 25, 2024
edited
Loading

Is my issue #10807 related in any way?

@droidmonkey
Copy link
Member

No

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature: TOTP platform: Windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@phoerious @droidmonkey @jhmaster2000 @JonatanWick