Description: Improve fetch function and add tests for it. Origin: https://lists.cncf.io/g/containerd-security-announce/files/1.2-cve-2020-15157.patch --- docker.io-18.09.7.orig/components/cli/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go +++ docker.io-18.09.7/components/cli/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go @@ -56,6 +56,23 @@ func (r dockerFetcher) Fetch(ctx context } return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) { + if len(desc.URLs) > 0 { + db := *r.dockerBase + db.useBasic = false // do not authenticate + nr := dockerFetcher{ + dockerBase: &db, + } + for _, u := range desc.URLs { + log.G(ctx).WithField("url", u).Debug("trying alternative url") + rc, err := nr.open(ctx, u, desc.MediaType, offset) + if err != nil { + log.G(ctx).WithField("error", err).Debug("error trying url") + continue // try one of the other urls. + } + + return rc, nil + } + } for _, u := range urls { rc, err := r.open(ctx, u, desc.MediaType, offset) if err != nil { @@ -142,14 +159,6 @@ func (r dockerFetcher) open(ctx context. func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) { var urls []string - if len(desc.URLs) > 0 { - // handle fetch via external urls. - for _, u := range desc.URLs { - log.G(ctx).WithField("url", u).Debug("adding alternative url") - urls = append(urls, u) - } - } - switch desc.MediaType { case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList, images.MediaTypeDockerSchema1Manifest, --- docker.io-18.09.7.orig/components/engine/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go +++ docker.io-18.09.7/components/engine/vendor/github.com/containerd/containerd/remotes/docker/fetcher.go @@ -56,6 +56,23 @@ func (r dockerFetcher) Fetch(ctx context } return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) { + if len(desc.URLs) > 0 { + db := *r.dockerBase + db.auth = nil // do not authenticate + nr := dockerFetcher{ + dockerBase: &db, + } + for _, u := range desc.URLs { + log.G(ctx).WithField("url", u).Debug("trying alternative url") + rc, err := nr.open(ctx, u, desc.MediaType, offset) + if err != nil { + log.G(ctx).WithField("error", err).Debug("error trying url") + continue // try one of the other urls. + } + + return rc, nil + } + } for _, u := range urls { rc, err := r.open(ctx, u, desc.MediaType, offset) if err != nil { @@ -142,14 +159,6 @@ func (r dockerFetcher) open(ctx context. func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) { var urls []string - if len(desc.URLs) > 0 { - // handle fetch via external urls. - for _, u := range desc.URLs { - log.G(ctx).WithField("url", u).Debug("adding alternative url") - urls = append(urls, u) - } - } - switch desc.MediaType { case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList, images.MediaTypeDockerSchema1Manifest,