From a88d58b8033c36ffc70b16c55fd0624a20c4f046 Mon Sep 17 00:00:00 2001 From: millert Date: Fri, 23 Sep 2022 17:29:22 +0000 Subject: [PATCH] POSIX timzone specs may contain '.' so only reject names containing '../'. Noted by pjanzen@ with input from deraadt@. --- lib/libc/time/localtime.c | 6 +++--- lib/libc/time/tzset.3 | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/libc/time/localtime.c b/lib/libc/time/localtime.c index 704c254fb8b..6f1c207047b 100644 --- a/lib/libc/time/localtime.c +++ b/lib/libc/time/localtime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: localtime.c,v 1.63 2022/09/21 15:57:49 millert Exp $ */ +/* $OpenBSD: localtime.c,v 1.64 2022/09/23 17:29:22 millert Exp $ */ /* ** This file is in the public domain, so clarified as of ** 1996-06-05 by Arthur David Olson. @@ -325,8 +325,8 @@ tzload(const char *name, struct state *sp, int doextend) */ if (name[0] == ':') name++; - /* Ignore absolute paths or names that might contain "..". */ - if (name[0] == '/' || strchr(name, '.')) + /* Ignore absolute paths or names that contain "../". */ + if (name[0] == '/' || strstr(name, "../") != NULL) name = NULL; } if (name == NULL) { diff --git a/lib/libc/time/tzset.3 b/lib/libc/time/tzset.3 index 72312bff73f..12083b1d6c6 100644 --- a/lib/libc/time/tzset.3 +++ b/lib/libc/time/tzset.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: tzset.3,v 1.24 2022/09/21 15:57:49 millert Exp $ -.Dd $Mdocdate: September 21 2022 $ +.\" $OpenBSD: tzset.3,v 1.25 2022/09/23 17:29:22 millert Exp $ +.Dd $Mdocdate: September 23 2022 $ .Dt TZSET 3 .Os .Sh NAME @@ -59,9 +59,9 @@ If .Ev TZ begins with a .Ql / -or contains a -.Ql \&. -character, it is ignored and the system local time zone file, +or contains +.Ql \&../ , +it is ignored and the system local time zone file, .Pa /etc/localtime , is used instead. The file must be in the format specified in -- 2.20.1