Page MenuHomeDevCentral

Don't accept initial / as container name
ClosedPublic

Authored by dereckson on Oct 10 2018, 23:46.
Tags
None
Referenced Files
F3774689: D1879.id4746.diff
Sun, Nov 24, 13:32
F3774475: D1879.diff
Sun, Nov 24, 11:59
F3769325: D1879.id.diff
Sat, Nov 23, 14:10
Unknown Object (File)
Tue, Nov 12, 05:43
Unknown Object (File)
Tue, Nov 12, 05:25
Unknown Object (File)
Sun, Nov 10, 10:20
Unknown Object (File)
Sun, Nov 10, 10:16
Unknown Object (File)
Sun, Nov 10, 10:16
Subscribers
None

Details

Summary

The Docker registry allows to use /foo or foo as container name.

This is a dubious comfort feature, but it would be nice if queries
like %2Ftmp (/tmp URL encoded) doesn't have a lot of chance to
succeed: even if the API is intended to expose metadata of a
filesystem without any secret, it could theoretically be deployed
into environment where filesystem can expose secrets.

Test Plan

Browse {{URL}}/docker/registry/repository/%2Ftmp/

Diff Detail

Repository
rAPIREG Nasqueron private Docker registry API
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.
This revision is now accepted and ready to land.Oct 10 2018, 23:46
This revision was automatically updated to reflect the committed changes.