1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
Author: David Edmundson <kde@davidedmundson.co.uk>
Date: Tue Nov 4 14:00:54 2014 +0100
Validate timezone name before setting
This patch ensures that the symlink /etc/localtime always points to a
file in /usr/share/timezones and not an arbitrary file in a user's home
directory.
diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
index 101d8ca..21fc51a 100644
--- a/kcontrol/dateandtime/helper.cpp
+++ b/kcontrol/dateandtime/helper.cpp
@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
int ClockHelper::tz( const QString& selectedzone )
{
int ret = 0;
+
+ //only allow letters, numbers hyphen underscore plus and forward slash
+ //allowed pattern taken from time-util.c in systemd
+ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
+ return ret;
+ }
+
#if defined(USE_SOLARIS) // MARCO
KTemporaryFile tf;
|
