git: 3e2e5eebfaa0 - main - tzcode: Remove access() again, cf. 02ba1d993fa9.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Sat, 14 Jan 2023 17:20:05 UTC
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=3e2e5eebfaa0aebb2790bbde7f35d4c6c52e2596

commit 3e2e5eebfaa0aebb2790bbde7f35d4c6c52e2596
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-01-13 14:54:21 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-01-14 17:16:17 +0000

    tzcode: Remove access() again, cf. 02ba1d993fa9.
    
    Reported by:    Coverity (CID 1250126)
    MFC after:      1 week
    Sponsored by:   Klara, Inc.
    Differential Revision: https://reviews.freebsd.org/D38035
---
 contrib/tzcode/localtime.c | 23 +----------------------
 1 file changed, 1 insertion(+), 22 deletions(-)

diff --git a/contrib/tzcode/localtime.c b/contrib/tzcode/localtime.c
index 2dbab26509d3..30ae18a965e8 100644
--- a/contrib/tzcode/localtime.c
+++ b/contrib/tzcode/localtime.c
@@ -468,7 +468,6 @@ tzloadbody(char const *name, struct state *sp, bool doextend,
 	register int			fid;
 	register int			stored;
 	register ssize_t		nread;
-	register bool doaccess;
 	register union input_buffer *up = &lsp->u.u;
 	register int tzheadsize = sizeof(struct tzhead);
 
@@ -482,15 +481,7 @@ tzloadbody(char const *name, struct state *sp, bool doextend,
 
 	if (name[0] == ':')
 		++name;
-#ifdef SUPPRESS_TZDIR
-	/* Do not prepend TZDIR.  This is intended for specialized
-	   applications only, due to its security implications.  */
-	doaccess = true;
-#else
-	doaccess = name[0] == '/';
-#endif
-	if (!doaccess) {
-		char const *dot;
+	if (name[0] != '/') {
 		if (sizeof lsp->fullname - sizeof tzdirslash <= strlen(name))
 		  return ENAMETOOLONG;
 
@@ -500,20 +491,8 @@ tzloadbody(char const *name, struct state *sp, bool doextend,
 		memcpy(lsp->fullname, tzdirslash, sizeof tzdirslash);
 		strcpy(lsp->fullname + sizeof tzdirslash, name);
 
-		/* Set doaccess if NAME contains a ".." file name
-		   component, as such a name could read a file outside
-		   the TZDIR virtual subtree.  */
-		for (dot = name; (dot = strchr(dot, '.')); dot++)
-		  if ((dot == name || dot[-1] == '/') && dot[1] == '.'
-		      && (dot[2] == '/' || !dot[2])) {
-		    doaccess = true;
-		    break;
-		  }
-
 		name = lsp->fullname;
 	}
-	if (doaccess && access(name, R_OK) != 0)
-	  return errno;
 	if (doextend) {
 		/*
 		 * Detect if the timezone file has changed.  Check