From 565e5bbdfc42afe29c4f53b303352d7e8406dcba Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Tue, 11 Nov 2014 13:54:03 -0800 Subject: [PATCH] Fix up the new expand_user method. quoting anywhere in the user_home_path interferes with shell expansion so we have to check it for validity ourselves. --- lib/ansible/runner/shell_plugins/sh.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/lib/ansible/runner/shell_plugins/sh.py b/lib/ansible/runner/shell_plugins/sh.py index 38698e7b4e9..0cf89278d6a 100644 --- a/lib/ansible/runner/shell_plugins/sh.py +++ b/lib/ansible/runner/shell_plugins/sh.py @@ -16,9 +16,12 @@ # along with Ansible. If not, see . import os +import re import pipes import ansible.constants as C +_USER_HOME_PATH_RE = re.compile(r'^~[_.A-Za-z0-9][-_.A-Za-z0-9]*$') + class ShellModule(object): def env_prefix(self, **kwargs): @@ -59,9 +62,21 @@ class ShellModule(object): cmd += ' && echo %s' % basetmp return cmd - def expand_user(self, user_path): - # Quote the user portion but leave the tilde to be expanded - return 'echo ~%s' % pipes.quote(user_path[1:]) + def expand_user(self, user_home_path): + ''' Return a command to expand tildes in a path + + It can be either "~" or "~username". We use the POSIX definition of + a username: + http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_03_426 + http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap03.html#tag_03_276 + ''' + + # Check that the user_path to expand is safe + if user_home_path != '~': + if not _USER_HOME_PATH_RE.match(user_home_path): + # pipes.quote will make the shell return the string verbatim + user_home_path = pipes.quote(user_home_path) + return 'echo %s' % user_home_path def checksum(self, path, python_interp): path = pipes.quote(path)