github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(volume): prevent bind mounts and allow named volumes [EE-2364] (#6771) 

* check bindmounts via absolute path

* check bindmounts via absolute path
pull/6762/head
sunportainer 2022-04-19 20:05:16 +08:00 committed by GitHub
parent 360701e256
commit 76d1b70644
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/http/proxy/factory/docker/containers.go
View File

@ -7,6 +7,7 @@ import (
"errors"
"io/ioutil"
"net/http"
"strings"
"github.com/docker/docker/client"
portainer "github.com/portainer/portainer/api"
@ -221,8 +222,12 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
}
if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
for _, bind := range partialContainer.HostConfig.Binds {
if strings.HasPrefix(bind, "/") {
return forbiddenResponse, errors.New("forbidden to use bind mounts")
}
}
}
request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
}