github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-09-17 23:59:57 +00:00
Code Issues Projects Releases Wiki Activity

Add control over validation of URLs in pushed manifests

Browse Source 
Until we have some experience hosting foreign layer manifests, the Hub
operators wish to limit foreign layers on Hub. To that end, this change
adds registry configuration options to restrict the URLs that may appear
in pushed manifests.

Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
This commit is contained in:
Noah Treuhaft
2016-07-08 15:44:52 -07:00
parent 2052f29be6
commit 61e5803b56
7 changed files with 137 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
registry/storage/schema2manifesthandler.go
View File

@@ -102,10 +102,12 @@ func (ms *schema2ManifestHandler) verifyManifest(ctx context.Context, mnfst sche
if len(fsLayer.URLs) == 0 {
err = errMissingURL
}
allow := ms.repository.manifestURLs.allow
deny := ms.repository.manifestURLs.deny
for _, u := range fsLayer.URLs {
var pu *url.URL
pu, err = url.Parse(u)
if err != nil || (pu.Scheme != "http" && pu.Scheme != "https") || pu.Fragment != "" {
if err != nil || (pu.Scheme != "http" && pu.Scheme != "https") || pu.Fragment != "" || (allow != nil && !allow.MatchString(u)) || (deny != nil && deny.MatchString(u)) {
err = errInvalidURL
break
}