Bug 1376954

Summary: docker-novolume-plugin: bypass authorization (request uri regexp check fails)
Product: [Fedora] Fedora Reporter: Antonio Murdaca <amurdaca>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.12.1-13.git9a3752d.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1376956 1376957 (view as bug list) Environment:
Last Closed: 2016-09-27 00:39:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1376956, 1376957    

Description Antonio Murdaca 2016-09-16 22:42:08 UTC 
Description of problem:

By using %2f instead of / in the URI path the plugin's
regex to hook specific docker API requests can be bypassed, allowing a user to
bypass the authorization plugin.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enable docker-novolume-plugin
2. docker create --name anonvol -v /test fedora bash
3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart

Actual results:

The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume.

Expected results:

The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin.

Additional info:

the Docker CLI is not affected by this.
Comment 1 Antonio Murdaca 2016-09-16 22:48:10 UTC 
code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly
Comment 2 Fedora Update System 2016-09-17 08:51:58 UTC 
docker-1.12.1-13.git9a3752d.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-93c58fa1b3
Comment 3 Fedora Update System 2016-09-18 07:23:05 UTC 
docker-1.12.1-13.git9a3752d.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-93c58fa1b3
Comment 4 Fedora Update System 2016-09-27 00:39:07 UTC 
docker-1.12.1-13.git9a3752d.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.