+++ This bug was initially created as a clone of Bug #1376954 +++ Description of problem: By using %2f instead of / in the URI path the plugin's regex to hook specific docker API requests can be bypassed, allowing a user to bypass the authorization plugin. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. enable docker-novolume-plugin 2. docker create --name anonvol -v /test fedora bash 3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart Actual results: The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume. Expected results: The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin. Additional info: the Docker CLI is not affected by this.
code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly
docker-1.10.3-52.git8b7fa4a.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3c01d214a
docker-1.10.3-52.git8b7fa4a.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3c01d214a
docker-1.10.3-52.git8b7fa4a.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.