hwclock: make --date=argument less prone to injection

This change should not improve security much.  One hopes hwclock --set is
restricted for root only.  Where hwclock is allowed to run via sudo, or has
setuid setup, there is a pretty easy privilege escalation via subshell.

$ sudo ./hwclock --set --date='2000-10-20$(touch /tmp/hwclock.inject)'

Reviewed-by: J William Piggott <elseifthen@gmx.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>

diff --git a/sys-utils/hwclock.c b/sys-utils/hwclock.c
index 98933316f0d9b40155e298817bd19f0b7ef70e9c..8716946d63a52653bc508679fa088c95cdbb586c 100644 (file)
--- a/sys-utils/hwclock.c
+++ b/sys-utils/hwclock.c
@@ -672,10 +672,12 @@ static int interpret_date_string(const struct hwclock_control *ctl,
        }
 
        /* Quotes in date_opt would ruin the date command we construct. */
-       if (strchr(ctl->date_opt, '"') != NULL) {
+       if (strchr(ctl->date_opt, '"') != NULL ||
+           strchr(ctl->date_opt, '`') != NULL ||
+           strchr(ctl->date_opt, '$') != NULL) {
                warnx(_
                      ("The value of the --date option is not a valid date.\n"
-                      "In particular, it contains quotation marks."));
+                      "In particular, it contains illegal character(s)."));
                return retcode;
        }