From 6c54ceb0e491ffbe06b3185632f79a74cfbca7e2 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <sttts@redhat.com>
Date: Wed, 8 Jun 2016 13:09:02 +0200
Subject: [PATCH] Filter seccomp profile path from malicious .. and /

---
 pkg/kubelet/dockertools/manager.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/kubelet/dockertools/manager.go b/pkg/kubelet/dockertools/manager.go
index 75f19c4ee6c..3c03b00441b 100644
--- a/pkg/kubelet/dockertools/manager.go
+++ b/pkg/kubelet/dockertools/manager.go
@@ -1015,7 +1015,9 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
 		return nil, fmt.Errorf("unknown seccomp profile option: %s", profile)
 	}
 
-	file, err := ioutil.ReadFile(filepath.Join(dm.seccompProfileRoot, strings.TrimPrefix(profile, "localhost/")))
+	name := strings.TrimPrefix(profile, "localhost/")
+	fname := filepath.Join(dm.seccompProfileRoot, filepath.FromSlash(path.Clean("/"+name)))
+	file, err := ioutil.ReadFile(fname)
 	if err != nil {
 		return nil, err
 	}