From 966327c1e53cbfac3bf683126fcc03b2660eef2e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 2 Dec 2022 01:26:06 +0100
Subject: [PATCH] distribution: checkSupportedMediaType: allow additional
 media-types

This addresses a regression introduced in 407e3a455231bcf5b1c3e18a9e682a646b6e96ab,
which turned out to be "too strict", as there's old images that use, for example;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    unsupported media type application/octet-stream

Before 407e3a455231bcf5b1c3e18a9e682a646b6e96ab, such mediatypes were accepted;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    e110a4a17941: Pull complete
    30dac23631f0: Pull complete
    202fc3980a36: Pull complete
    Digest: sha256:f88925c97b9709dd6da0cb2f811726da9d724464e9be17a964c70f067d2aa64a
    Status: Downloaded newer image for python:3.5.1-alpine
    docker.io/library/python:3.5.1-alpine

This patch copies the additional media-types, using the list of types that
were added in a215e15cb1fbecc3b22d4f90e15638728ac7ac78, which fixed a
similar issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a6a539497ad4ff879d10ed8b588fb4dca0418fb4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 distribution/pull_v2.go  | 10 ++++------
 distribution/registry.go | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index 871a0aee70ddb..5883de95660a3 100644
--- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
@@ -620,14 +620,12 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv
 }
 
 func checkSupportedMediaType(mediaType string) error {
-	supportedMediaTypes := []string{
-		"application/vnd.oci.image.",
-		"application/vnd.docker.",
-	}
-
 	lowerMt := strings.ToLower(mediaType)
 	for _, mt := range supportedMediaTypes {
-		if strings.HasPrefix(lowerMt, mt) {
+		// The should either be an exact match, or have a valid prefix
+		// we append a "." when matching prefixes to exclude "false positives";
+		// for example, we don't want to match "application/vnd.oci.images_are_fun_yolo".
+		if lowerMt == mt || strings.HasPrefix(lowerMt, mt+".") {
 			return nil
 		}
 	}
diff --git a/distribution/registry.go b/distribution/registry.go
index 2e031847c063b..b6826a6cbf70d 100644
--- a/distribution/registry.go
+++ b/distribution/registry.go
@@ -19,6 +19,22 @@ import (
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
+// supportedMediaTypes represents acceptable media-type(-prefixes)
+// we use this list to prevent obscure errors when trying to pull
+// OCI artifacts.
+var supportedMediaTypes = []string{
+	// valid prefixes
+	"application/vnd.oci.image",
+	"application/vnd.docker",
+
+	// these types may occur on old images, and are copied from
+	// ImageTypes below.
+	"application/octet-stream",
+	"application/json",
+	"text/html",
+	"",
+}
+
 // ImageTypes represents the schema2 config types for images
 var ImageTypes = []string{
 	schema2.MediaTypeImageConfig,