Merge pull request #9124 from erikh/secure-localhost

Secure localhost registry (carry of #8898)

registry/endpoint.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -151,10 +152,25 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
 // IsSecure returns false if the provided hostname is part of the list of insecure registries.
 // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
 func IsSecure(hostname string, insecureRegistries []string) bool {
+
 	if hostname == IndexServerAddress() {
 		return true
 	}
 
+	host, _, err := net.SplitHostPort(hostname)
+
+	if err != nil {
+		host = hostname
+	}
+
+	if host == "127.0.0.1" || host == "localhost" {
+		return false
+	}
+
+	if len(insecureRegistries) == 0 {
+		return true
+	}
+
 	for _, h := range insecureRegistries {
 		if hostname == h {
 			return false

registry/registry_test.go

@@ -328,10 +328,19 @@ func TestIsSecure(t *testing.T) {
 	}{
 		{"example.com", []string{}, true},
 		{"example.com", []string{"example.com"}, false},
-		{"localhost", []string{"localhost:5000"}, true},
+		{"localhost", []string{"localhost:5000"}, false},
 		{"localhost:5000", []string{"localhost:5000"}, false},
-		{"localhost", []string{"example.com"}, true},
+		{"localhost", []string{"example.com"}, false},
 		{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
+		{"localhost", []string{}, false},
+		{"localhost:5000", []string{}, false},
+		{"127.0.0.1", []string{}, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"example.com", []string{}, true},
+		{"example.com", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"example.com"}, false},
 	}
 	for _, tt := range tests {
 		if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {