setup: untaint path to host timezone

To avoid an error with 'pct create ... --timezone host'.

Reported in the community forum:
https://forum.proxmox.com/threads/pct-create-command-with-timezone-host-option-fails-to-create-a-container.97538/

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 4e211efff13f5237dee1121535e83c41bffdcc1b..7c377abc68917424bb807230f904357e20229183 100644 (file)
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -114,7 +114,9 @@ sub new {
 
     # Cache some host files we need access to:
     $plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
-    $plugin->{host_localtime} = abs_path('/etc/localtime');
+
+    abs_path('/etc/localtime') =~ m|^(/.+)| or die "invalid /etc/localtime\n"; # untaint
+    $plugin->{host_localtime} = $1;
 
     # pass on user namespace information:
     my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);