Merge pull request #23428 from Luap99/config-clone

pkg/api: do not leak config pointers into specgen
2024-07-29 19:09:01 +00:00 · 2024-07-29 19:09:01 +00:00 · 2316d914b5
parent 327266d458 1b91df012d
commit 2316d914b5
2 changed files with 19 additions and 2 deletions
--- a/pkg/api/handlers/libpod/containers_create.go
+++ b/pkg/api/handlers/libpod/containers_create.go
@ -27,14 +27,18 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// copy vars here and not leak config pointers into specgen
+	noHosts := conf.Containers.NoHosts
+	privileged := conf.Containers.Privileged
+
 	// we have to set the default before we decode to make sure the correct default is set when the field is unset
 	sg := specgen.SpecGenerator{
 		ContainerNetworkConfig: specgen.ContainerNetworkConfig{
-			UseImageHosts: &conf.Containers.NoHosts,
+			UseImageHosts: &noHosts,
 		},
 		ContainerSecurityConfig: specgen.ContainerSecurityConfig{
 			Umask:      conf.Containers.Umask,
-			Privileged: &conf.Containers.Privileged,
+			Privileged: &privileged,
 		},
 	}

--- a/test/apiv2/25-containersMore.at
+++ b/test/apiv2/25-containersMore.at
@ -86,4 +86,17 @@ podman run $IMAGE true
 t POST libpod/containers/prune 200
 t GET libpod/containers/json 200 \
  length=0
+
+# check the config options are not overwritten by acceident
+t POST libpod/containers/create name=test1 image=$IMAGE privileged=true 201
+t GET libpod/containers/test1/json 200 \
+  .HostConfig.Annotations.'"io.podman.annotations.privileged"'="TRUE"
+
+# now the same without privileged it should not inhert the privileged from before
+t POST libpod/containers/create name=test2 image=$IMAGE 201
+t GET libpod/containers/test2/json 200 \
+  .HostConfig.Annotations=null
+
+podman rm test1 test2
+
 # vim: filetype=sh