prevent directory traversal in setTimezone

author kremlin <ian@kremlin.cc>

Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)

committer kremlin <ian@kremlin.cc>

Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)
author kremlin <ian@kremlin.cc>
Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)
committer kremlin <ian@kremlin.cc>
Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)
diff --git a/src/interfaces/timedated/timedated.c b/src/interfaces/timedated/timedated.c

index d4b0dceea6eb553a2c1923a579daf0c50258fe09..8fb1ce5bd206396d62373225eecd77e4f45935c6 100644 (file)
--- a/src/interfaces/timedated/timedated.c
+++ b/src/interfaces/timedated/timedated.c
@@ -219,7 +219,11 @@ on_handle_set_timezone(Timedate1 *td1_passed_interf,
      strlcat(tz_target_path, "/", TZNAME_MAX);
      strlcat(tz_target_path, proposed_tz, TZNAME_MAX);
  
-    g_printf("%s\n", tz_target_path);
+    if(strstr(tz_target_path, "../")) {
+
+        g_dbus_method_invocation_return_dbus_error(invoc, "org.freedesktop.timedate1.Error.EBADF", "Provided timezone is invalid.");
+        return FALSE;
+    }
  
      if(!statbuf)
          return FALSE;
@@ -266,7 +270,9 @@ on_handle_set_local_rtc(Timedate1 *td1_passed_interf,
                          GDBusMethodInvocation *invoc,
                          const gchar *greet,
                          gpointer data) {
-    return FALSE;
+
+    g_dbus_method_invocation_return_dbus_error(invoc, "org.freedesktop.timedate1.Error.ENODEV", "OpenBSD does not support setting the realtime clock in local time, only UTC.");
+    return TRUE;
  }
  
  static gboolean
@@ -324,6 +330,7 @@ our_get_timezone() {
      return ret;
  }
  
+/* openbsd does not support setting the RTC to localtime, only UTC */
  gboolean
  our_get_local_rtc() {
author	kremlin <ian@kremlin.cc>
	Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)
committer	kremlin <ian@kremlin.cc>
	Tue, 14 Oct 2014 15:11:13 +0000 (10:11 -0500)