Description of problem: By using %2f instead of / in the URI path the plugin's regex to hook specific docker API requests can be bypassed, allowing a user to bypass the authorization plugin. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. enable docker-novolume-plugin 2. docker create --name anonvol -v /test fedora bash 3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart Actual results: The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume. Expected results: The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin. Additional info: the Docker CLI is not affected by this.
code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly
docker-1.12.1-13.git9a3752d.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-93c58fa1b3
docker-1.12.1-13.git9a3752d.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-93c58fa1b3
docker-1.12.1-13.git9a3752d.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.