From: Roy Marples <roy@marples.name>
Date: Fri, 19 Jun 2026 08:07:36 +0000 (+0100)
Subject: timezone: disallow directory traversal
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;p=thirdparty%2Fdhcpcd.git

timezone: disallow directory traversal

Don't allow a timezone definition to go outside of it's directory

Reported by Hu Xinyao and NVIDIA Project Vanessa
---

diff --git a/hooks/15-timezone b/hooks/15-timezone
index 97ab18c9..3a905a0e 100644
--- a/hooks/15-timezone
+++ b/hooks/15-timezone
@@ -27,8 +27,16 @@ set_zoneinfo()
 		return 1
 	fi
 
+	# disallow directory traversal
+	case "$new_tzdb_timezone" in
+	\.\./*|*/\.\./*)
+		syslog warning "invalid timezone: $new_tzdb_timezone"
+		return 1
+		;;
+	esac
+
 	zone_file="$zoneinfo_dir/$new_tzdb_timezone"
-	if [ ! -e "$zone_file" ]; then
+	if [ ! -f "$zone_file" ]; then
 		syslog warning "no timezone definition for $new_tzdb_timezone"
 		return 1
 	fi