Merge pull request #42017 from thaJeztah/20.10_backport_build_fixes

[20.10 backport]: avoid creating parent dirs for XGlobalHeader, and fix permissions

pkg/archive/archive.go

@@ -917,6 +917,12 @@ loop:
 			return err
 		}
 
+		// ignore XGlobalHeader early to avoid creating parent directories for them
+		if hdr.Typeflag == tar.TypeXGlobalHeader {
+			logrus.Debugf("PAX Global Extended Headers found for %s and ignored", hdr.Name)
+			continue
+		}
+
 		// Normalize name, for safety and for a simple is-root check
 		// This keeps "../" as-is, but normalizes "/../" to "/". Or Windows:
 		// This keeps "..\" as-is, but normalizes "\..\" to "\".
@@ -936,7 +942,7 @@ loop:
 			parent := filepath.Dir(hdr.Name)
 			parentPath := filepath.Join(dest, parent)
 			if _, err := os.Lstat(parentPath); err != nil && os.IsNotExist(err) {
-				err = idtools.MkdirAllAndChownNew(parentPath, 0777, rootIDs)
+				err = idtools.MkdirAllAndChownNew(parentPath, 0755, rootIDs)
 				if err != nil {
 					return err
 				}

pkg/archive/archive_test.go

@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"bytes"
 	"compress/gzip"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -1174,6 +1175,26 @@ func TestTempArchiveCloseMultipleTimes(t *testing.T) {
 	}
 }
 
+// TestXGlobalNoParent is a regression test to check parent directories are not crated for PAX headers
+func TestXGlobalNoParent(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w := tar.NewWriter(buf)
+	err := w.WriteHeader(&tar.Header{
+		Name:     "foo/bar",
+		Typeflag: tar.TypeXGlobalHeader,
+	})
+	assert.NilError(t, err)
+	tmpDir, err := ioutil.TempDir("", "pax-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	err = Untar(buf, tmpDir, nil)
+	assert.NilError(t, err)
+
+	_, err = os.Lstat(filepath.Join(tmpDir, "foo"))
+	assert.Check(t, err != nil)
+	assert.Check(t, errors.Is(err, os.ErrNotExist))
+}
+
 func TestReplaceFileTarWrapper(t *testing.T) {
 	filesInArchive := 20
 	testcases := []struct {

pkg/archive/archive_unix_test.go

@@ -3,6 +3,7 @@
 package archive // import "github.com/docker/docker/pkg/archive"
 
 import (
+	"archive/tar"
 	"bytes"
 	"fmt"
 	"io/ioutil"
@@ -156,6 +157,24 @@ func TestTarWithHardLinkAndRebase(t *testing.T) {
 	assert.Check(t, is.Equal(i1, i2))
 }
 
+// TestUntarParentPathPermissions is a regression test to check that missing
+// parent directories are created with the expected permissions
+func TestUntarParentPathPermissions(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w := tar.NewWriter(buf)
+	err := w.WriteHeader(&tar.Header{Name: "foo/bar"})
+	assert.NilError(t, err)
+	tmpDir, err := ioutil.TempDir("", t.Name())
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	err = Untar(buf, tmpDir, nil)
+	assert.NilError(t, err)
+
+	fi, err := os.Lstat(filepath.Join(tmpDir, "foo"))
+	assert.NilError(t, err)
+	assert.Equal(t, fi.Mode(), 0755|os.ModeDir)
+}
+
 func getNlink(path string) (uint64, error) {
 	stat, err := os.Stat(path)
 	if err != nil {