mirror of
https://github.com/containers/podman.git
synced 2025-10-10 07:45:08 +08:00
2ef1cd7f7e
For ConfigMap and Secret kube play volumes podman populates the data from the yaml. However the volume content is not controlled by us and we can be tricked following a symlink to a file on the host instead. Fixes: CVE-2025-9566 Fixes: https://issues.redhat.com/browse/RHEL-113141, https://issues.redhat.com/browse/RHEL-113152, https://issues.redhat.com/browse/OCPBUGS-61268, https://issues.redhat.com/browse/OCPBUGS-61270 Signed-off-by: Paul Holzinger <pholzing@redhat.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
14 lines
284 B
Go
14 lines
284 B
Go
//go:build !linux && !remote
|
|
|
|
package abi
|
|
|
|
import (
|
|
"errors"
|
|
"os"
|
|
)
|
|
|
|
// openSymlinkPath is not supported on this platform.
|
|
func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
|
|
return nil, errors.New("cannot safely open symlink on this platform")
|
|
}
|