From bfc3a4192ae5723e401470688cdae59b95bd61f1 Mon Sep 17 00:00:00 2001
From: cyphar <cyphar@cyphar.com>
Date: Sat, 10 May 2014 16:38:47 +1000
Subject: [PATCH] daemon: container: ensure cp cannot traverse outside
 container rootfs

This patch fixes the bug that allowed cp to copy files outside of
the containers rootfs, by passing a relative path (such as
../../../../../../../../etc/shadow). This is fixed by first converting
the path to an absolute path (relative to /) and then appending it
to the container's rootfs before continuing.

Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
---
 AUTHORS             | 1 +
 daemon/container.go | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index adfcfaa851..b8c58ab09a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -6,6 +6,7 @@
 Aanand Prasad <aanand.prasad@gmail.com>
 Aaron Feng <aaron.feng@gmail.com>
 Abel Muiño <amuino@gmail.com>
+Aleksa Sarai <cyphar@cyphar.com>
 Alexander Larsson <alexl@redhat.com>
 Alexey Shamrin <shamrin@gmail.com>
 Alex Gaynor <alex.gaynor@gmail.com>
diff --git a/daemon/container.go b/daemon/container.go
index 7b6b65494e..7250b442a6 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -745,8 +745,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
 	if err := container.Mount(); err != nil {
 		return nil, err
 	}
+
 	var filter []string
+
+	// Ensure path is local to container basefs
+	resource = path.Join("/", resource)
 	basePath := path.Join(container.basefs, resource)
+
 	stat, err := os.Stat(basePath)
 	if err != nil {
 		container.Unmount()