Bug 1376956

Summary: docker-novolume-plugin: bypass authorization (request uri regexp check fails)
Product: [Fedora] Fedora Reporter: Antonio Murdaca <amurdaca>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: adimania, admiller, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, riek, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.10.3-52.git8b7fa4a.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1376954 Environment:
Last Closed: 2016-09-22 00:22:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1376954, 1376957    
Bug Blocks:    

Description Antonio Murdaca 2016-09-16 22:43:21 UTC 
+++ This bug was initially created as a clone of Bug #1376954 +++

Description of problem:

By using %2f instead of / in the URI path the plugin's
regex to hook specific docker API requests can be bypassed, allowing a user to
bypass the authorization plugin.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enable docker-novolume-plugin
2. docker create --name anonvol -v /test fedora bash
3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart

Actual results:

The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume.

Expected results:

The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin.

Additional info:

the Docker CLI is not affected by this.
Comment 1 Antonio Murdaca 2016-09-16 22:47:24 UTC 
code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly
Comment 2 Fedora Update System 2016-09-17 08:50:59 UTC 
docker-1.10.3-52.git8b7fa4a.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3c01d214a
Comment 3 Fedora Update System 2016-09-18 06:51:34 UTC 
docker-1.10.3-52.git8b7fa4a.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3c01d214a
Comment 4 Fedora Update System 2016-09-22 00:22:07 UTC 
docker-1.10.3-52.git8b7fa4a.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.