Actions
Issue #3127
closedSECURITY: tags are used without sanitization
Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version - Docker:
Platform Release:
Target Release - Docker:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
As a user, I can do:
pulp-admin docker repo tag --repo-id test-docker --tag-name
../just:kidding --digest
sha256:d5749b517161981ec3f189ff8a7d1dac3d15332c595b297cbc9246286fde34a3
which will result in the repo publishing the image as /var/lib/pulp/published/docker/v2/web/test-docker/manifests/just:kidding
(instead of under /var/lib/pulp/published/docker/v2/web/test-docker/manifests/2/)
It doesn't look like you can escape the repository directory structure with a cleverly crafted tag, but you can most certainly put a v2 image in the v1 namespace.
I think tags should follow a directory structure normalization, and any ../ should be stripped out.
Actions