>From 3db83c526e474fdb76630d2b3269a61afdcd7aa5 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 29 Oct 2018 08:35:38 -0700 Subject: [PROPOSED 1/2] =?UTF-8?q?Avoid=20unnecessary=20calls=20to=20?= =?UTF-8?q?=E2=80=98access=E2=80=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * localtime.c (tzloadbody): Check more precisely for "..". --- localtime.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/localtime.c b/localtime.c index 6b45254..7b72f9c 100644 --- a/localtime.c +++ b/localtime.c @@ -413,6 +413,7 @@ tzloadbody(char const *name, struct state *sp, bool doextend, doaccess = name[0] == '/'; #endif if (!doaccess) { + char const *dot; size_t namelen = strlen(name); if (sizeof lsp->fullname - sizeof tzdirslash <= namelen) return ENAMETOOLONG; @@ -423,9 +424,16 @@ tzloadbody(char const *name, struct state *sp, bool doextend, memcpy(lsp->fullname, tzdirslash, sizeof tzdirslash); strcpy(lsp->fullname + sizeof tzdirslash, name); - /* Set doaccess if '.' (as in "../") shows up in name. */ - if (strchr(name, '.')) - doaccess = true; + /* Set doaccess if NAME contains a ".." file name + component, as such a name could read a file outside + the TZDIR virtual subtree. */ + for (dot = name; (dot = strchr(dot, '.')); dot++) + if ((dot == name || dot[-1] == '/') && dot[1] == '.' + && (dot[2] == '/' || !dot[2])) { + doaccess = true; + break; + } + name = lsp->fullname; } if (doaccess && access(name, R_OK) != 0) -- 2.17.2