Browse code
daemon: container: ensure cp cannot traverse outside container rootfs
This patch fixes the bug that allowed cp to copy files outside of
the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting
the path to an absolute path (relative to /) and then appending it
to the container's rootfs before continuing.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
cyphar authored on 2014/05/10 15:38:47Showing 2 changed files
| ... | ... |
@@ -6,6 +6,7 @@ |
| 6 | 6 |
Aanand Prasad <aanand.prasad@gmail.com> |
| 7 | 7 |
Aaron Feng <aaron.feng@gmail.com> |
| 8 | 8 |
Abel MuiƱo <amuino@gmail.com> |
| 9 |
+Aleksa Sarai <cyphar@cyphar.com> |
|
| 9 | 10 |
Alexander Larsson <alexl@redhat.com> |
| 10 | 11 |
Alexey Shamrin <shamrin@gmail.com> |
| 11 | 12 |
Alex Gaynor <alex.gaynor@gmail.com> |
| ... | ... |
@@ -745,8 +745,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
|
| 745 | 745 |
if err := container.Mount(); err != nil {
|
| 746 | 746 |
return nil, err |
| 747 | 747 |
} |
| 748 |
+ |
|
| 748 | 749 |
var filter []string |
| 750 |
+ |
|
| 751 |
+ // Ensure path is local to container basefs |
|
| 752 |
+ resource = path.Join("/", resource)
|
|
| 749 | 753 |
basePath := path.Join(container.basefs, resource) |
| 754 |
+ |
|
| 750 | 755 |
stat, err := os.Stat(basePath) |
| 751 | 756 |
if err != nil {
|
| 752 | 757 |
container.Unmount() |