Page MenuHomeDevCentral

Don't accept initial / as container name
ClosedPublic

Authored by dereckson on Oct 10 2018, 23:46.

Details

Summary

The Docker registry allows to use /foo or foo as container name.

This is a dubious comfort feature, but it would be nice if queries
like %2Ftmp (/tmp URL encoded) doesn't have a lot of chance to
succeed: even if the API is intended to expose metadata of a
filesystem without any secret, it could theoretically be deployed
into environment where filesystem can expose secrets.

Test Plan

Browse {{URL}}/docker/registry/repository/%2Ftmp/

Diff Detail

Repository
rAPIREG Nasqueron private Docker registry API
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

dereckson requested review of this revision.Oct 10 2018, 23:46
dereckson created this revision.
dereckson accepted this revision.Oct 10 2018, 23:46
This revision is now accepted and ready to land.Oct 10 2018, 23:46
dereckson edited the summary of this revision. (Show Details)Oct 10 2018, 23:46
This revision was automatically updated to reflect the committed changes.