Change path breakout detection logic in archive package
Fixes #9375 Signed-off-by: Alexandr Morozov <lk4d4@docker.com> Conflicts: integration-cli/docker_cli_cp_test.go removed extra test
This commit is contained in:
Alexandr Morozov
unclejack
parent
cd74be68b8
commit
5ce91364b3
2 changed files with 13 additions and 8 deletions
|
|
@ -473,10 +473,13 @@ loop:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Prevent symlink breakout
|
|
||||||
path := filepath.Join(dest, hdr.Name)
|
path := filepath.Join(dest, hdr.Name)
|
||||||
if !strings.HasPrefix(path, dest) {
|
rel, err := filepath.Rel(dest, path)
|
||||||
return breakoutError(fmt.Errorf("%q is outside of %q", path, dest))
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if strings.HasPrefix(rel, "..") {
|
||||||
|
return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
|
||||||
}
|
}
|
||||||
|
|
||||||
// If path exits we almost always just want to remove and replace it
|
// If path exits we almost always just want to remove and replace it
|
||||||
|
|
|
||||||
|
|
@ -81,12 +81,14 @@ func UnpackLayer(dest string, layer ArchiveReader) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
path := filepath.Join(dest, hdr.Name)
|
path := filepath.Join(dest, hdr.Name)
|
||||||
base := filepath.Base(path)
|
rel, err := filepath.Rel(dest, path)
|
||||||
|
if err != nil {
|
||||||
// Prevent symlink breakout
|
return err
|
||||||
if !strings.HasPrefix(path, dest) {
|
|
||||||
return breakoutError(fmt.Errorf("%q is outside of %q", path, dest))
|
|
||||||
}
|
}
|
||||||
|
if strings.HasPrefix(rel, "..") {
|
||||||
|
return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
|
||||||
|
}
|
||||||
|
base := filepath.Base(path)
|
||||||
|
|
||||||
if strings.HasPrefix(base, ".wh.") {
|
if strings.HasPrefix(base, ".wh.") {
|
||||||
originalBase := base[len(".wh."):]
|
originalBase := base[len(".wh."):]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue