This is effectively a revert of 2ac9968401, which
switched from os/exec to the golang.org/x/sys/execabs package to mitigate
security issues (mainly on Windows) with lookups resolving to binaries in the
current directory.
from the go1.19 release notes https://go.dev/doc/go1.19#os-exec-path
> ## PATH lookups
>
> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe) in
> the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The PR https://github.com/containerd/containerd/pull/8198 fixed this for CRI but missed clearing the commandline in the forked SB server. This simply adds that back in
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
Protobuf will automatically put the files generated for a v2 module into
a v2 directory. Move them to their correct location after running the
protobuild.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Upgrade google.golang.org/grpc to v1.58.3 in preparation for
upgrading OTel, which has a dependency on the latest version.
See also: containerd/containerd#9281.
Signed-off-by: Milas Bowman <milas.bowman@docker.com>
When the HTTP fallback is used, the scheme changes from HTTPS to HTTP
which can cause a mismatch on redirect, causing the authorizer to get
stripped out. Since the redirect host must match the redirect host in
this case, credentials are only sent to the same origin host that
returned the redirect.
This fixes an issue for a push getting a 401 unauthorized on the PUT
request even though credentials are available.
Signed-off-by: Derek McGowan <derek@mcg.dev>
The Server rpc in introspection service is extended to expose
deprecation warnings based on observed feature use in containerd.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
This package enumerates the known deprecations in the current version of
containerd. New deprecations should be added here, and old ones
removed.
Signed-off-by: Samuel Karp <samuelkarp@google.com>
The TLS fallback should only be used when the protocol is ambiguous due
to provided TLS configurations and defaulting to http. Do not add TLS
configurations when defaulting to http. When the port is 80 or will be
defaulted to 80, there is no protocol ambiguity and TLS fallback should
not be used.
Signed-off-by: Derek McGowan <derek@mcg.dev>
