From 328d2cba116067a2ad0f161b9ee098ed024825b3 Mon Sep 17 00:00:00 2001 From: cyphar Date: Fri, 23 May 2014 17:48:01 +1000 Subject: [PATCH] daemon: container: properly handle paths with symlink path components This patch fixes the incorrect handling of paths which contain a symlink as a path component when copying data from a container. Essentially, this patch changes the container.Copy() method to first "resolve" the resource by resolving all of symlinks encountered in the path relative to the container's rootfs (using pkg/symlink). Docker-DCO-1.1-Signed-off-by: Aleksa Sarai (github: cyphar) --- daemon/container.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/daemon/container.go b/daemon/container.go index e8bc7d478b..2ae263289d 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -25,6 +25,7 @@ import ( "github.com/dotcloud/docker/pkg/label" "github.com/dotcloud/docker/pkg/networkfs/etchosts" "github.com/dotcloud/docker/pkg/networkfs/resolvconf" + "github.com/dotcloud/docker/pkg/symlink" "github.com/dotcloud/docker/runconfig" "github.com/dotcloud/docker/utils" ) @@ -760,7 +761,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) { var filter []string - basePath := container.getResourcePath(resource) + resPath := container.getResourcePath(resource) + basePath, err := symlink.FollowSymlinkInScope(resPath, container.basefs) + if err != nil { + container.Unmount() + return nil, err + } + stat, err := os.Stat(basePath) if err != nil { container.Unmount() @@ -780,6 +787,7 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) { Includes: filter, }) if err != nil { + container.Unmount() return nil, err } return utils.NewReadCloserWrapper(archive, func() error {