|
|
|
|
|
|
by leftcenterright
755 days ago
|
|
|
> This is of course a harmless PoC and you can try it out using docker pull vin01/escape-seq-test:latest --platform darwin/arm64 or docker run --rm vin01/escape-seq-test and you should see the injected link as shown below. Wow, I wouldn't have expected `docker pull` in particular to allow arbitrary content injection. Does anyone know of any tools which scan images being pulled before passing them over to `docker` for processing? |
|
|
Having read Docker source code and seen a repetitive pattern of silly mistakes with dire consequences, I emphatically would expect it to have such, and many other similar, issues.
My personal favorite is still the time they computed a hash of a download, but then failed to compare it to anything.