From af06d289e4300f3b86ec9deba7280c3c37fa4e05 Mon Sep 17 00:00:00 2001
From: Josh Hawn <josh.hawn@docker.com>
Date: Mon, 27 Jul 2015 16:09:08 -0700
Subject: [PATCH] [api/client] update check Dockerfile in Context

Actually determine the relative path of the Dockerfile to the context
directory. Error out if the relative path starts with "../".

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
---
 api/client/build.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/api/client/build.go b/api/client/build.go
index 54e76521b7..84f83f7a4f 100644
--- a/api/client/build.go
+++ b/api/client/build.go
@@ -31,7 +31,6 @@ import (
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/pkg/progressreader"
 	"github.com/docker/docker/pkg/streamformatter"
-	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/docker/pkg/ulimit"
 	"github.com/docker/docker/pkg/units"
 	"github.com/docker/docker/pkg/urlutil"
@@ -340,15 +339,15 @@ func getDockerfileRelPath(givenContextDir, givenDockerfile string) (absContextDi
 		absDockerfile = filepath.Join(absContextDir, absDockerfile)
 	}
 
-	// Verify that 'filename' is within the build context
-	absDockerfile, err = symlink.FollowSymlinkInScope(absDockerfile, absContextDir)
+	// Evaluate symlinks in the path to the Dockerfile too.
+	absDockerfile, err = filepath.EvalSymlinks(absDockerfile)
 	if err != nil {
-		return "", "", fmt.Errorf("The Dockerfile (%s) must be within the build context (%s)", givenDockerfile, givenContextDir)
+		return "", "", fmt.Errorf("unable to evaluate symlinks in Dockerfile path: %v", err)
 	}
 
 	if _, err := os.Lstat(absDockerfile); err != nil {
 		if os.IsNotExist(err) {
-			return "", "", fmt.Errorf("Cannot locate Dockerfile: absDockerfile: %q", absDockerfile)
+			return "", "", fmt.Errorf("Cannot locate Dockerfile: %q", absDockerfile)
 		}
 		return "", "", fmt.Errorf("unable to stat Dockerfile: %v", err)
 	}
@@ -357,6 +356,10 @@ func getDockerfileRelPath(givenContextDir, givenDockerfile string) (absContextDi
 		return "", "", fmt.Errorf("unable to get relative Dockerfile path: %v", err)
 	}
 
+	if strings.HasPrefix(relDockerfile, ".."+string(filepath.Separator)) {
+		return "", "", fmt.Errorf("The Dockerfile (%s) must be within the build context (%s)", givenDockerfile, givenContextDir)
+	}
+
 	return absContextDir, relDockerfile, nil
 }