Security fixes:

* Strip lookup calls out of inventory variables and clean unsafe data returned from lookup plugins (CVE-2014-4966) * Make sure vars don't insert extra parameters into module args and prevent duplicate params from superseding previous params (CVE-2014-4967)
2014-07-21 11:20:49 -05:00 · 2014-07-21 11:20:49 -05:00 · 274e1f4106
commit 274e1f4106
parent 9f294530e9
1 changed files with 34 additions and 27 deletions
--- a/commands/command
+++ b/commands/command
@ -193,29 +193,36 @@ class CommandModule(AnsibleModule):
            args = args.replace("#USE_SHELL", "")
            params['shell'] = True

-        r = re.compile(r'(^|\s)(creates|removes|chdir|executable|NO_LOG)=(?P<quote>[\'"])?(.*?)(?(quote)(?<!\\)(?P=quote))((?<!\\)(?=\s)|$)')
-        for m in r.finditer(args):
-            v = m.group(4).replace("\\", "")
-            if m.group(2) == "creates":
-                params['creates'] = v
-            elif m.group(2) == "removes":
-                params['removes'] = v
-            elif m.group(2) == "chdir":
-                v = os.path.expanduser(v)
-                v = os.path.abspath(v)
+        # use shlex to split up the args, while being careful to preserve
+        # single quotes so they're not removed accidentally
+        lexer = shlex.shlex(args, posix=True)
+        lexer.whitespace_split = True
+        lexer.quotes = '"'
+        lexer.ignore_quotes = "'"
+        items = list(lexer)
+
+        command_args = ''
+        for x in items:
+            if '=' in x:
+                # check to see if this is a special parameter for the command
+                k, v = x.split('=', 1)
+                if k in ('creates', 'removes', 'chdir', 'executable', 'NO_LOG'):
+                    if k == "chdir":
+                        v = os.path.abspath(os.path.expanduser(v))
                        if not (os.path.exists(v) and os.path.isdir(v)):
                            self.fail_json(rc=258, msg="cannot change to directory '%s': path does not exist" % v)
-                params['chdir'] = v
-            elif m.group(2) == "executable":
-                v = os.path.expanduser(v)
-                v = os.path.abspath(v)
+                    elif k == "executable":
+                        v = os.path.abspath(os.path.expanduser(v))
                        if not (os.path.exists(v)):
                            self.fail_json(rc=258, msg="cannot use executable '%s': file does not exist" % v)
-                params['executable'] = v
-            elif m.group(2) == "NO_LOG":
-                params['NO_LOG'] = self.boolean(v)
-        args = r.sub("", args)
-        params['args'] = args
+                    params[k] = v
+                else:
+                    # this isn't a valid parameter, so just append it back to the list of arguments
+                    command_args = "%s %s" % (command_args, x)
+            else:
+                # not a param, so just append it to the list of arguments
+                command_args = "%s %s" % (command_args, x)
+        params['args'] = command_args.strip()
        return (params, params['args'])

 main()