From b8f627d1d543eb3acb181e0ff7c7a50bc6717402 Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 19 Mar 2014 16:31:03 -0400 Subject: [PATCH] Prevent rewriting the encrypted file if decryption fails --- lib/ansible/utils/vault.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py index 62b082a9af4..4931871cd54 100644 --- a/lib/ansible/utils/vault.py +++ b/lib/ansible/utils/vault.py @@ -113,7 +113,6 @@ class VaultLib(object): # clean out header data = self._split_header(data) - # create the cipher object if 'Vault' + self.cipher_name in globals() and self.cipher_name in CIPHER_WHITELIST: cipher = globals()['Vault' + self.cipher_name] @@ -123,6 +122,8 @@ class VaultLib(object): # try to unencrypt data data = this_cipher.decrypt(data, self.password) + if not data: + raise errors.AnsibleError("Decryption failed") return data @@ -209,7 +210,10 @@ class VaultEditor(object): this_vault = VaultLib(self.password) if this_vault.is_encrypted(tmpdata): dec_data = this_vault.decrypt(tmpdata) - self.write_data(dec_data, self.filename) + if not dec_data: + raise errors.AnsibleError("Decryption failed") + else: + self.write_data(dec_data, self.filename) else: raise errors.AnsibleError("%s is not encrypted" % self.filename)