+++ This bug was initially created as a clone of Bug #1376954 +++

Description of problem:

By using %2f instead of / in the URI path the plugin's
regex to hook specific docker API requests can be bypassed, allowing a user to
bypass the authorization plugin.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enable docker-novolume-plugin
2. docker create --name anonvol -v /test fedora bash
3. curl -vvv -X POST http://127.0.0.1:8080/containers/anonvol%2fstart

Actual results:

The plugin fails the request URI check because it doesn't decode %2f and allows to start the container which contains an anonymous volume.

Expected results:

The plugin should just block any attempt to start a container with anonymous volumes - the fix to this is to url.QueryUnescape the request URI received by the plugin.

Additional info:

the Docker CLI is not affected by this.

--- Additional comment from Antonio Murdaca on 2016-09-16 18:48:10 EDT ---

code already fixed in projectatomic/docker-novolume-plugin master branch - rebuilding and submitting an update shortly