timezone: disallow directory traversal

Don't allow a timezone definition to go outside of it's directory

Reported by Hu Xinyao and NVIDIA Project Vanessa

diff --git a/hooks/15-timezone b/hooks/15-timezone
index 97ab18c91d763127620763f2e9b2e7b115853de7..3a905a0e591e5b29d5e60459ec9cf45af2fc9b24 100644 (file)
--- a/hooks/15-timezone
+++ b/hooks/15-timezone
@@ -27,8 +27,16 @@ set_zoneinfo()
                return 1
        fi
 
+       # disallow directory traversal
+       case "$new_tzdb_timezone" in
+       \.\./*|*/\.\./*)
+               syslog warning "invalid timezone: $new_tzdb_timezone"
+               return 1
+               ;;
+       esac
+
        zone_file="$zoneinfo_dir/$new_tzdb_timezone"
-       if [ ! -e "$zone_file" ]; then
+       if [ ! -f "$zone_file" ]; then
                syslog warning "no timezone definition for $new_tzdb_timezone"
                return 1
        fi