We use cookies to ensure you get the best experience on our website
首页 发现 帮助
注册 登录
0ct0pu5
/
moby
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

Fixed potential security issue (never try http on official index when polling the endpoint). Also fixed local repos name when pulling index.docker.io/foo/bar

Sam Alba 12 年之前
父节点
33d97e81eb
当前提交
f44eac49fa
共有 2 个文件被更改,包括 17 次插入2 次删除
合并视图 显示文件统计
  1. 12 2
      registry/registry.go
  2. 5 0
      server.go

+ 12 - 2
registry/registry.go
查看文件 

@@ -18,8 +18,14 @@ import (
 
 )
 
 )
 
 
 
 var ErrAlreadyExists = errors.New("Image already exists")
 
 var ErrAlreadyExists = errors.New("Image already exists")
 
+var ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
 
 
 
 func pingRegistryEndpoint(endpoint string) error {
 
 func pingRegistryEndpoint(endpoint string) error {
 
+	if endpoint == auth.IndexServerAddress() {
 
+		// Skip the check, we now this one is valid
 
+		// (and we never want to fallback to http in case of error)
 
+		return nil
 
+	}
 
 	resp, err := http.Get(endpoint + "_ping")
 
 	resp, err := http.Get(endpoint + "_ping")
 
 	if err != nil {
 
 	if err != nil {
 
 		return err
 
 		return err
 
@@ -56,16 +62,20 @@ func validateRepositoryName(repositoryName string) error {
 
 
 
 // Resolves a repository name to a endpoint + name
 
 // Resolves a repository name to a endpoint + name
 
 func ResolveRepositoryName(reposName string) (string, string, error) {
 
 func ResolveRepositoryName(reposName string) (string, string, error) {
 
+	if strings.Contains(reposName, "://") {
 
+		// It cannot contain a scheme!
 
+		return "", "", ErrInvalidRepositoryName
 
+	}
 
 	nameParts := strings.SplitN(reposName, "/", 2)
 
 	nameParts := strings.SplitN(reposName, "/", 2)
 
 	if !strings.Contains(nameParts[0], ".") {
 
 	if !strings.Contains(nameParts[0], ".") {
 
 		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
 
 		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
 
 		err := validateRepositoryName(reposName)
 
 		err := validateRepositoryName(reposName)
 
-		return "https://index.docker.io/v1/", reposName, err
 
+		return auth.IndexServerAddress(), reposName, err
 
 	}
 
 	}
 
 	if len(nameParts) < 2 {
 
 	if len(nameParts) < 2 {
 
 		// There is a dot in repos name (and no registry address)
 
 		// There is a dot in repos name (and no registry address)
 
 		// Is it a Registry address without repos name?
 
 		// Is it a Registry address without repos name?
 
-		return "", "", fmt.Errorf("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
 
+		return "", "", ErrInvalidRepositoryName
 
 	}
 
 	}
 
 	hostname := nameParts[0]
 
 	hostname := nameParts[0]
 
 	reposName = nameParts[1]
 
 	reposName = nameParts[1]

+ 5 - 0
server.go
查看文件 

@@ -485,6 +485,11 @@ func (srv *Server) ImagePull(localName string, tag string, out io.Writer, sf *ut
 
 		return err
 
 		return err
 
 	}
 
 	}
 
 
 
+	if endpoint == auth.IndexServerAddress() {
 
+		// If pull "index.docker.io/foo/bar", it's stored locally under "foo/bar"
 
+		localName = remoteName
 
+	}
 
+
 
 	out = utils.NewWriteFlusher(out)
 
 	out = utils.NewWriteFlusher(out)
 
 	err = srv.pullRepository(r, out, localName, remoteName, tag, endpoint, sf)
 
 	err = srv.pullRepository(r, out, localName, remoteName, tag, endpoint, sf)
 
 	if err != nil {
 
 	if err != nil {

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5