Merge pull request #5160 from MadhavJivrajani/master

Use net.IP.IsLoopback() to match loopback addresses
2021-03-17 09:37:17 -04:00 · 2021-03-17 09:37:17 -04:00 · b395f2f9a9
commit b395f2f9a9
parent a0cc9b432d 8f863afd3a
2 changed files with 43 additions and 6 deletions
--- a/remotes/docker/registry.go
+++ b/remotes/docker/registry.go
@ -17,7 +17,10 @@
 package docker

 import (
+	"net"
 	"net/http"
+
+	"github.com/pkg/errors"
 )

 // HostCapabilities represent the capabilities of the registry
@ -202,12 +205,41 @@ func MatchAllHosts(string) (bool, error) {

 // MatchLocalhost is a host match function which returns true for
 // localhost.
+//
+// Note: this does not handle matching of ip addresses in octal,
+// decimal or hex form.
 func MatchLocalhost(host string) (bool, error) {
-	for _, s := range []string{"localhost", "127.0.0.1", "[::1]"} {
-		if len(host) >= len(s) && host[0:len(s)] == s && (len(host) == len(s) || host[len(s)] == ':') {
+	switch {
+	case host == "::1":
+		return true, nil
+	case host == "[::1]":
 		return true, nil
 	}
-	}
-	return host == "::1", nil
+	h, p, err := net.SplitHostPort(host)

+	// addrError helps distinguish between errors of form
+	// "no colon in address" and "too many colons in address".
+	// The former is fine as the host string need not have a
+	// port. Latter needs to be handled.
+	addrError := &net.AddrError{
+		Err:  "missing port in address",
+		Addr: host,
+	}
+	if err != nil {
+		if err.Error() != addrError.Error() {
+			return false, err
+		}
+		// host string without any port specified
+		h = host
+	} else if len(p) == 0 {
+		return false, errors.New("invalid host name format")
+	}
+
+	// use ipv4 dotted decimal for further checking
+	if h == "localhost" {
+		h = "127.0.0.1"
+	}
+	ip := net.ParseIP(h)
+
+	return ip.IsLoopback(), nil
 }
--- a/remotes/docker/registry_test.go
+++ b/remotes/docker/registry_test.go
@ -52,14 +52,19 @@ func TestMatchLocalhost(t *testing.T) {
 		match bool
 	}{
 		{"", false},
-		{"127.1.1.1", false},
+		{"127.1.1.1", true},
 		{"127.0.0.1", true},
+		{"127.256.0.1", false}, // test MatchLocalhost does not panic on invalid ip
+		{"127.23.34.52", true},
 		{"127.0.0.1:5000", true},
 		{"registry.org", false},
+		{"126.example.com", false},
 		{"localhost", true},
 		{"localhost:5000", true},
 		{"[127:0:0:1]", false},
 		{"[::1]", true},
+		{"[::1]:", false},     // invalid ip
+		{"127.0.1.1:", false}, // invalid ip
 		{"[::1]:5000", true},
 		{"::1", true},
 	} {