kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

daemon: container: ensure cp cannot traverse outside container rootfs

Browse source 
This patch fixes the bug that allowed cp to copy files outside of
the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting
the path to an absolute path (relative to /) and then appending it
to the container's rootfs before continuing.

Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This commit is contained in:
cyphar 2014-05-10 16:38:47 +10:00
parent f637eaca5d
commit bfc3a4192a
2 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
AUTHORS
View file

@ -6,6 +6,7 @@
Aanand Prasad <aanand.prasad@gmail.com> Aanand Prasad <aanand.prasad@gmail.com>
Aaron Feng <aaron.feng@gmail.com> Aaron Feng <aaron.feng@gmail.com>
Abel Muiño <amuino@gmail.com> Abel Muiño <amuino@gmail.com>
Aleksa Sarai <cyphar@cyphar.com>
Alexander Larsson <alexl@redhat.com> Alexander Larsson <alexl@redhat.com>
Alexey Shamrin <shamrin@gmail.com> Alexey Shamrin <shamrin@gmail.com>
Alex Gaynor <alex.gaynor@gmail.com> Alex Gaynor <alex.gaynor@gmail.com>

5
daemon/container.go
View file

@ -745,8 +745,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
if err := container.Mount(); err != nil { if err := container.Mount(); err != nil {
return nil, err return nil, err
} }
var filter []string var filter []string
// Ensure path is local to container basefs
resource = path.Join("/", resource)
basePath := path.Join(container.basefs, resource) basePath := path.Join(container.basefs, resource)
stat, err := os.Stat(basePath) stat, err := os.Stat(basePath)
if err != nil { if err != nil {
container.Unmount() container.Unmount()