From c8593c4d61b169d5a3942fb5fe5904466f82a3b1 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 7 Feb 2017 11:17:41 +0100
Subject: [PATCH] sanitize systemd-notify message

Accept only READY= notify messages from the container.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 notify_socket.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/notify_socket.go b/notify_socket.go
index 5e174e0ba..9e30e4780 100644
--- a/notify_socket.go
+++ b/notify_socket.go
@@ -3,6 +3,7 @@
 package main
 
 import (
+	"bytes"
 	"fmt"
 	"net"
 	"path/filepath"
@@ -75,7 +76,25 @@ func (notifySocket *notifySocket) run() {
 		if err != nil {
 			break
 		}
+		var out bytes.Buffer
+		for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) {
+			if bytes.HasPrefix(line, []byte("READY=")) {
+				_, err = out.Write(line)
+				if err != nil {
+					return
+				}
 
-		client.Write(buf[0:r])
+				_, err = out.Write([]byte{'\n'})
+				if err != nil {
+					return
+				}
+
+				_, err = client.Write(out.Bytes())
+				if err != nil {
+					return
+				}
+				return
+			}
+		}
 	}
 }