Correct unmarshal order for SignedManifest

To ensure that we only unmarshal the verified payload into the contained
manifest, we first copy the entire incoming buffer into Raw and then unmarshal
only the Payload portion of the incoming bytes. If the contents is later
verified, the caller can then be sure that the contents of the Manifest fields
can be trusted.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This commit is contained in:
Stephen J Day 2015-09-14 21:12:33 -07:00 committed by Aaron Lehmann
parent 4c4112bdcf
commit 76624704c3
4 changed files with 77 additions and 41 deletions

View file

@ -62,15 +62,20 @@ type SignedManifest struct {
// UnmarshalJSON populates a new ImageManifest struct from JSON data.
func (sm *SignedManifest) UnmarshalJSON(b []byte) error {
sm.Raw = make([]byte, len(b), len(b))
copy(sm.Raw, b)
p, err := sm.Payload()
if err != nil {
return err
}
var manifest Manifest
if err := json.Unmarshal(b, &manifest); err != nil {
if err := json.Unmarshal(p, &manifest); err != nil {
return err
}
sm.Manifest = manifest
sm.Raw = make([]byte, len(b), len(b))
copy(sm.Raw, b)
return nil
}