POSIX timzone specs may contain '.' so only reject names containing '../'.

Noted by pjanzen@ with input from deraadt@.

diff --git a/lib/libc/time/localtime.c b/lib/libc/time/localtime.c
index 704c254..6f1c207 100644 (file)
--- a/lib/libc/time/localtime.c
+++ b/lib/libc/time/localtime.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: localtime.c,v 1.63 2022/09/21 15:57:49 millert Exp $ */
+/*     $OpenBSD: localtime.c,v 1.64 2022/09/23 17:29:22 millert Exp $ */
 /*
 ** This file is in the public domain, so clarified as of
 ** 1996-06-05 by Arthur David Olson.
@@ -325,8 +325,8 @@ tzload(const char *name, struct state *sp, int doextend)
                 */
                if (name[0] == ':')
                        name++;
-               /* Ignore absolute paths or names that might contain "..". */
-               if (name[0] == '/' || strchr(name, '.'))
+               /* Ignore absolute paths or names that contain "../". */
+               if (name[0] == '/' || strstr(name, "../") != NULL)
                        name = NULL;
        }
        if (name == NULL) {

diff --git a/lib/libc/time/tzset.3 b/lib/libc/time/tzset.3
index 72312bf..12083b1 100644 (file)
--- a/lib/libc/time/tzset.3
+++ b/lib/libc/time/tzset.3
@@ -1,5 +1,5 @@
-.\"    $OpenBSD: tzset.3,v 1.24 2022/09/21 15:57:49 millert Exp $
-.Dd $Mdocdate: September 21 2022 $
+.\"    $OpenBSD: tzset.3,v 1.25 2022/09/23 17:29:22 millert Exp $
+.Dd $Mdocdate: September 23 2022 $
 .Dt TZSET 3
 .Os
 .Sh NAME
@@ -59,9 +59,9 @@ If
 .Ev TZ
 begins with a
 .Ql /
-or contains a
-.Ql \&.
-character, it is ignored and the system local time zone file,
+or contains
+.Ql \&../ ,
+it is ignored and the system local time zone file,
 .Pa /etc/localtime ,
 is used instead.
 The file must be in the format specified in