kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

archive: prevent breakout in ApplyLayer

Browse source 
Signed-off-by: Tibor Vass <teabee89@gmail.com>
This commit is contained in:
Tibor Vass 2014-10-31 13:18:39 -04:00 committed by unclejack
parent 1852cc3841
commit 31d1d73303
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pkg/archive/diff.go
View file

@ -18,6 +18,8 @@ import (
// ApplyLayer parses a diff in the standard layer format from `layer`, and // ApplyLayer parses a diff in the standard layer format from `layer`, and
// applies it to the directory `dest`. // applies it to the directory `dest`.
func ApplyLayer(dest string, layer ArchiveReader) error { func ApplyLayer(dest string, layer ArchiveReader) error {
dest = filepath.Clean(dest)
// We need to be able to set any perms // We need to be able to set any perms
oldmask, err := system.Umask(0) oldmask, err := system.Umask(0)
if err != nil { if err != nil {
@ -91,6 +93,12 @@ func ApplyLayer(dest string, layer ArchiveReader) error {
path := filepath.Join(dest, hdr.Name) path := filepath.Join(dest, hdr.Name)
base := filepath.Base(path) base := filepath.Base(path)
// Prevent symlink breakout
if !strings.HasPrefix(path, dest) {
return breakoutError(fmt.Errorf("%q is outside of %q", path, dest))
}
if strings.HasPrefix(base, ".wh.") { if strings.HasPrefix(base, ".wh.") {
originalBase := base[len(".wh."):] originalBase := base[len(".wh."):]
originalPath := filepath.Join(filepath.Dir(path), originalBase) originalPath := filepath.Join(filepath.Dir(path), originalBase)