@@ -278,6 +278,9 @@ func (b *buildFile) addContext(container *Container, orig, dest string) error {

 	if strings.HasSuffix(dest, "/") {

 		destPath = destPath + "/"

 	}

+	if !strings.HasPrefix(origPath, b.context) {

+		return fmt.Errorf("Forbidden path: %s", origPath)

+	}

 	fi, err := os.Stat(origPath)

 	if err != nil {

 		return err

@@ -423,3 +423,52 @@ func TestBuildImageWithoutCache(t *testing.T) {

 		t.Fail()

 	}

 }

+

+func TestForbiddenContextPath(t *testing.T) {

+	runtime, err := newTestRuntime()

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer nuke(runtime)

+

+	srv := &Server{

+		runtime:     runtime,

+		pullingPool: make(map[string]struct{}),

+		pushingPool: make(map[string]struct{}),

+	}

+

+	context := testContextTemplate{`

+        from {IMAGE}

+        maintainer dockerio

+        add ../../ test/

+        `,

+		[][2]string{{"test.txt", "test1"}, {"other.txt", "other"}}, nil}

+

+	httpServer, err := mkTestingFileServer(context.remoteFiles)

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer httpServer.Close()

+

+	idx := strings.LastIndex(httpServer.URL, ":")

+	if idx < 0 {

+		t.Fatalf("could not get port from test http server address %s", httpServer.URL)

+	}

+	port := httpServer.URL[idx+1:]

+

+	ip := srv.runtime.networkManager.bridgeNetwork.IP

+	dockerfile := constructDockerfile(context.dockerfile, ip, port)

+

+	buildfile := NewBuildFile(srv, ioutil.Discard, false, true)

+	_, err = buildfile.Build(mkTestContext(dockerfile, context.files, t))

+

+	if err == nil {

+		t.Log("Error should not be nil")

+		t.Fail()

+	}

+

+	if err.Error() != "Forbidden path: /" {

+		t.Logf("Error message is not expected: %s", err.Error())

+		t.Fail()

+	}

+}