daemon: container: properly handle paths with symlink path components

This patch fixes the incorrect handling of paths which contain a symlink as a path component when copying data from a container. Essentially, this patch changes the container.Copy() method to first "resolve" the resource by resolving all of symlinks encountered in the path relative to the container's rootfs (using pkg/symlink). Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar) Upstream-commit: 328d2cba116067a2ad0f161b9ee098ed024825b3 Component: engine
2026-01-13 18:22:35 +03:00 · 2014-05-23 17:48:01 +10:00
parent 1a0d737a90
commit e52cd2deb7
1 changed files with 9 additions and 1 deletions
--- a/components/engine/daemon/container.go
+++ b/components/engine/daemon/container.go
@@ -25,6 +25,7 @@ import (
 	"github.com/dotcloud/docker/pkg/label"
 	"github.com/dotcloud/docker/pkg/networkfs/etchosts"
 	"github.com/dotcloud/docker/pkg/networkfs/resolvconf"
+	"github.com/dotcloud/docker/pkg/symlink"
 	"github.com/dotcloud/docker/runconfig"
 	"github.com/dotcloud/docker/utils"
 )
@@ -760,7 +761,13 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {

 	var filter []string

-	basePath := container.getResourcePath(resource)
+	resPath := container.getResourcePath(resource)
+	basePath, err := symlink.FollowSymlinkInScope(resPath, container.basefs)
+	if err != nil {
+		container.Unmount()
+		return nil, err
+	}
+
 	stat, err := os.Stat(basePath)
 	if err != nil {
 		container.Unmount()
@@ -780,6 +787,7 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) {
 		Includes:    filter,
 	})
 	if err != nil {
+		container.Unmount()
 		return nil, err
 	}
 	return utils.NewReadCloserWrapper(archive, func() error {