From 642e6a377324c7873f278c6bd7fd5e60201139e2 Mon Sep 17 00:00:00 2001 From: Nuutti Kotivuori Date: Wed, 29 Apr 2015 22:29:50 +0300 Subject: [PATCH] Prevent fallback to v1 registry for digest pulls The intention of the user is to download a verified image if explicitly pulling with a digest and falling back to v1 registry circumvents that protection. Signed-off-by: Nuutti Kotivuori --- graph/pull.go | 4 ++++ integration-cli/docker_cli_by_digest_test.go | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/graph/pull.go b/graph/pull.go index c3c064fc58..8ec179e384 100644 --- a/graph/pull.go +++ b/graph/pull.go @@ -88,6 +88,10 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf logrus.Debug("image does not exist on v2 registry, falling back to v1") } + if utils.DigestReference(tag) { + return fmt.Errorf("pulling with digest reference failed from v2 registry") + } + logrus.Debugf("pulling v1 repository with local name %q", repoInfo.LocalName) if err = s.pullRepository(r, imagePullConfig.OutStream, repoInfo, tag, sf, imagePullConfig.Parallel); err != nil { return err diff --git a/integration-cli/docker_cli_by_digest_test.go b/integration-cli/docker_cli_by_digest_test.go index b9b319cf94..d4d4949955 100644 --- a/integration-cli/docker_cli_by_digest_test.go +++ b/integration-cli/docker_cli_by_digest_test.go @@ -115,6 +115,16 @@ func (s *DockerRegistrySuite) TestPullByDigest(c *check.C) { } } +func (s *DockerRegistrySuite) TestPullByDigestNoFallback(c *check.C) { + // pull from the registry using the @ reference + imageReference := fmt.Sprintf("%s@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", repoName) + cmd := exec.Command(dockerBinary, "pull", imageReference) + out, _, err := runCommandWithOutput(cmd) + if err == nil || !strings.Contains(out, "pulling with digest reference failed from v2 registry") { + c.Fatalf("expected non-zero exit status and correct error message when pulling non-existing image: %s", out) + } +} + func (s *DockerRegistrySuite) TestCreateByDigest(c *check.C) { pushDigest, err := setupImage() if err != nil {