Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use golang.org/x/sys/execabs #2950

Merged
merged 2 commits into from
Jan 27, 2021
Merged

Use golang.org/x/sys/execabs #2950

merged 2 commits into from
Jan 27, 2021

Commits on Jan 26, 2021

  1. vendor docker, docker-credential-helpers and golang/sys for execabs p… 

    …ackage

Signed-off-by: Tibor Vass <tibor@docker.com>
    Tibor Vass committed Jan 26, 2021
    Configuration menu
    Copy the full SHA
    7bef248 View commit details
    Browse the repository at this point in the history

  2. Use golang.org/x/sys/execabs 

    On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.

Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.

Signed-off-by: Tibor Vass <tibor@docker.com>
    Tibor Vass committed Jan 26, 2021
    Configuration menu
    Copy the full SHA
    8d199d5 View commit details
    Browse the repository at this point in the history