Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-30 10:49:40 +02:00
Code Issues Releases Activity

fix(volume): prevent bind mounts and allow named volumes [EE-2364] (#6771)

Browse source 
* check bindmounts via absolute path

* check bindmounts via absolute path
This commit is contained in:
sunportainer 2022-04-19 20:05:16 +08:00 committed by GitHub
parent 360701e256
commit 76d1b70644
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
api/http/proxy/factory/docker/containers.go
View file

@ -7,6 +7,7 @@ import (
"errors" "errors"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"strings"
"github.com/docker/docker/client" "github.com/docker/docker/client"
portainer "github.com/portainer/portainer/api" portainer "github.com/portainer/portainer/api"
@ -221,7 +222,11 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
} }
if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) { if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
return forbiddenResponse, errors.New("forbidden to use bind mounts") for _, bind := range partialContainer.HostConfig.Binds {
if strings.HasPrefix(bind, "/") {
return forbiddenResponse, errors.New("forbidden to use bind mounts")
}
}
} }
request.Body = ioutil.NopCloser(bytes.NewBuffer(body)) request.Body = ioutil.NopCloser(bytes.NewBuffer(body))