daemon: container: ensure cp cannot traverse outside container rootfs

This patch fixes the bug that allowed cp to copy files outside of
the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting
the path to an absolute path (relative to /) and then appending it
to the container's rootfs before continuing.

Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This commit is contained in:
cyphar 2014-05-10 16:38:47 +10:00
parent f637eaca5d
commit bfc3a4192a
2 changed files with 6 additions and 0 deletions

View file

@ -6,6 +6,7 @@
Aanand Prasad <aanand.prasad@gmail.com>
Aaron Feng <aaron.feng@gmail.com>
Abel Muiño <amuino@gmail.com>
Aleksa Sarai <cyphar@cyphar.com>
Alexander Larsson <alexl@redhat.com>
Alexey Shamrin <shamrin@gmail.com>
Alex Gaynor <alex.gaynor@gmail.com>

View file

@ -745,8 +745,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
if err := container.Mount(); err != nil {
return nil, err
}
var filter []string
// Ensure path is local to container basefs
resource = path.Join("/", resource)
basePath := path.Join(container.basefs, resource)
stat, err := os.Stat(basePath)
if err != nil {
container.Unmount()