Check that Date of Release file is not in the future

By restricting the Date field to be in the past, an attacker cannot
just create a repository from the future that would be accepted as
a valid update for a repository.

This check can be disabled by Acquire::Check-Date set to false. This
will also disable Check-Valid-Until and any future date related checking,
if any - the option means: "my computers date cannot be trusted."

Modify the tests to allow repositories to be up to 10 hours in the
future, so we can keep using hours there to simulate time changes.

3 files changed, 41 insertions, 0 deletions

diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
index fdcd99425..e285b3130 100644
--- a/doc/apt.conf.5.xml
+++ b/doc/apt.conf.5.xml
@@ -315,6 +315,27 @@ APT::Compressor::rev {
    for the download itself (see also &sources-list;).</para>
 
    <variablelist>
+     <varlistentry><term><option>Check-Date</option></term>
+	 <listitem><para>
+	 Security related option defaulting to true, enabling time-related
+	 checks. Disabling it means that the machine's time cannot be
+	 trusted, and APT will hence disable all time-related checks,
+	 such as <option>Check-Valid-Until</option> and verifying that
+	 the Date field of a release file is not in the future.
+	 </para></listitem>
+     </varlistentry>
+
+     <varlistentry><term><option>Max-FutureTime</option></term>
+	 <listitem><para>Maximum time (in seconds) before its creation (as indicated
+	 by the <literal>Date</literal> header) that the <filename>Release</filename>
+	 file should be considered valid.
+
+	 The default value is <literal>10</literal>.
+	 Archive specific settings can be made by appending the label of the archive
+	 to the option name. Preferably, the same can be achieved for specific
+	 &sources-list; entries by using the <option>Date-Max-Future</option> option there.
+	 </para></listitem>
+     </varlistentry>
      <varlistentry><term><option>Check-Valid-Until</option></term>
      <listitem><para>
      Security related option defaulting to true, as giving a Release file's
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index 9088bd844..8a74fde2d 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -234,6 +234,9 @@ Acquire
   Max-ValidTime::* "<INT>"; // repository label specific configuration
   Min-ValidTime "<INT>"; // time in seconds
   Min-ValidTime::* "<INT>"; // repository label specific configuration
+  Check-Date "<BOOL>"; // whether to check the "Date" field
+  Max-FutureTime "<INT>"; // seconds to allow release file's Date field to be in the future (default 10)
+  Max-FutureTime::* "<INT>"; // repository label specific configuration
 
   SameMirrorForAllIndexes "<BOOL>"; // use the mirror serving the Release file for Packages & co
 
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index 2a047c83b..592227dd8 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -343,6 +343,23 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
 		default.
 	  </para></listitem>
 
+	  <listitem><para><option>Check-Date</option> (<option>check-date</option>)
+		is a yes/no value which controls if APT should consider
+		the machine's time correct and hence perform time related
+		checks, such as verifying that a Release file is not
+		from the future. Disabling it also disables the
+		<option>Check-Valid-Until</option> option
+		mentioned above.
+	  </para></listitem>
+
+	  <listitem><para><option>Date-Max-Future</option>
+		(<option>date-max-future</option>) controls how far
+		from the future a repository may be.
+		Default to the value of the configuration option
+		<option>Acquire::Max-FutureTime</option> which is
+		10 seconds by default.
+	  </para></listitem>
+
 	  <listitem><para><option>InRelease-Path</option> (<option>inrelease-path</option>)
 		determines the path to the InRelease file, relative
 		to the normal position of an <filename>InRelease</filename> file.