ping @tonistiigi @thaJeztah

see discussion in #13171 (comment)

Can you please let us know if this is strictly required for 1.8.0, and if we're only fixing usability issues or potential security holes?

@icecrime So far it's just a usability/behavior issue. We haven't yet determined if there's a real security issue with this.

Because none of us is a security expert, I'd prefer to have the security team to have a look,
both at this change and the issue it should resolve (reported here #13171 (comment) and discussed on IRC, starting here: https://botbot.me/freenode/docker-dev/2015-07-22/?msg=45272608&page=6).
Better safe than sorry, now that we are still able to check before the 1.8 release.

ping @ewindisch @diogomonica @NathanMcCauley

(just my 0.02, apologies if I crossed my boundaries here)

This seems to only address the Stat-header issue and not rebasing. If I run docker cp id:/foo/ bar where foo is a symlink I don't get local folder bar but a folder that has the name of the symlink target.

This breaks symlink targets without slash. cp -a seems to use same behavior for symlinks-to-dirs as regular directories. I think for local paths this was already different before but for remotes it changed with this PR.

Any comment on the other points in #13171 (comment) ?

Ok! Adding this to the milestone, we don't have to block 1.8.0-rc1 on it though.

@tonistiigi

This seems to only address the Stat-header issue and not rebasing. If I run docker cp id:/foo/ bar where foo is a symlink I don't get local folder bar but a folder that has the name of the symlink target.

I'll add a test case for this and make sure it's fixed.

A couple of windows test failures as expected... wish I could run those locally :-(.

@jlhawn I'm sure @ahmetalpbalkan is able to give you access to an azure machine 😄

@thaJeztah eh, no biggie... I have a windows 8.1 VM locally that I could use, I just haven't bothered setting up the docker dev environment on it. The test failure was also pretty minor: I was comparing a local windows backslash-delimited path with a constant unix-style forward-slash-delimited path.

@tonistiigi This should now fix the behavior you saw on the source being a symlink to a directory.

As for your other question from #13171 (comment):

How can we protect this from running containers updating a filesystem/volumes when the request is taking place? I mean we check for breakouts in the beginning of GET/PUT but if a container is using the filesystem it could just flip a symlink in the right time and then we would have full read/write to host.

I think the only thing we could do is require that the container be stopped or paused? (can that be considered outside the scope of this PR?)

Is docker cp with symlinks supposed to follow the semantics of cp -a? Docs are bit contradictory saying it's cp -a but also that symlink is always/only followed if it's followed by a slash.

#setup (GNU coreutils 8.21):
mkdir foo
touch foo/bar
ln -s foo baz
mkdir abc
touch abc/def

cp -a abc baz # creates foo/abc/def
docker cp t0:abc baz # error: cannot copy directory
docker cp abc t0:baz # error: cannot copy directory

cp -a abc/def baz # creates foo/def
docker cp t0:abc/def baz # creates baz
docker cp abc/def t0:baz # creates baz

cp -a baz/. abc # creates abc/bar
docker cp t0:baz/. abc # creates abc/bar
docker cp baz/. t0:abc # creates abc/(baz -> foo) + WARN

The resolvePath() logic itself seems safe but I'm bit concerned about the readability of the actual place where the breakout protection happens. There is bunch of logic in TarResource for testing symlink/ paths but if I understand it correctly this is only used in client side and would be unsafe otherwise. Maybe we could add a comment in the daemon code that calls TarResource that the path sent there can be symlink or dir/ but should never be symlink/ or symlink/. and it's the calling code's responsibility to check that.

Having two separate code paths that do tar rebasing probably also isn't ideal maintenance-wise and I can't help to point out that by not having the first-level directory we could have probably avoided the need to do rebasing in both ends(plus the need to validate downloaded tar that we should probably also do).

Is docker cp with symlinks supposed to follow the semantics of cp -a? Docs are bit contradictory saying it's cp -a but also that symlink is always/only followed if it's followed by a slash.

This should only apply to the source argument. From your example (thanks!) it looks like we've also erroneously applied it to the destination argument 😦. I'll fold this into this PR also (and add a test case for it based on your example).

Okay, all updated again. Currently the Windows CI is on fire, so I guess we'll have to wait on that.

LGTM

LGTM, but can we squash all those commits? all of the are related to the same thing and it would be easier to keep track of the for the release.

@calavera okay, I'll squash them together

💚 Merging!

🎉

cherry picked into #15091

Great work guys!