prevent templating of passwords from prompt (#59246)
* prevent templating of passwords from prompt
fixes CVE-2019-10206
(cherry picked from commit e9a37f8e31
)
This commit is contained in:
parent
b2c43bd2b7
commit
d39488ece4
3 changed files with 17 additions and 4 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
|
|
@ -29,6 +29,7 @@ from ansible.release import __version__
|
||||||
from ansible.utils.collection_loader import set_collection_playbook_paths
|
from ansible.utils.collection_loader import set_collection_playbook_paths
|
||||||
from ansible.utils.display import Display
|
from ansible.utils.display import Display
|
||||||
from ansible.utils.path import unfrackpath
|
from ansible.utils.path import unfrackpath
|
||||||
|
from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
|
||||||
from ansible.vars.manager import VariableManager
|
from ansible.vars.manager import VariableManager
|
||||||
|
|
||||||
|
|
||||||
|
@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object)):
|
||||||
except EOFError:
|
except EOFError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
# we 'wrap' the passwords to prevent templating as
|
||||||
|
# they can contain special chars and trigger it incorrectly
|
||||||
|
if sshpass:
|
||||||
|
sshpass = AnsibleUnsafeBytes(sshpass)
|
||||||
|
if becomepass:
|
||||||
|
becomepass = AnsibleUnsafeBytes(becomepass)
|
||||||
|
|
||||||
return (sshpass, becomepass)
|
return (sshpass, becomepass)
|
||||||
|
|
||||||
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
|
def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
from __future__ import (absolute_import, division, print_function)
|
from __future__ import (absolute_import, division, print_function)
|
||||||
__metaclass__ = type
|
__metaclass__ = type
|
||||||
|
|
||||||
from ansible.module_utils.six import string_types, text_type
|
from ansible.module_utils.six import string_types, text_type, binary_type
|
||||||
from ansible.module_utils._text import to_text
|
from ansible.module_utils._text import to_text
|
||||||
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
|
from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
|
||||||
|
|
||||||
|
@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
class UnsafeProxy(object):
|
class UnsafeProxy(object):
|
||||||
def __new__(cls, obj, *args, **kwargs):
|
def __new__(cls, obj, *args, **kwargs):
|
||||||
# In our usage we should only receive unicode strings.
|
# In our usage we should only receive unicode strings.
|
||||||
# This conditional and conversion exists to sanity check the values
|
# This conditional and conversion exists to sanity check the values
|
||||||
# we're given but we may want to take it out for testing and sanitize
|
# we're given but we may want to take it out for testing and sanitize
|
||||||
# our input instead.
|
# our input instead.
|
||||||
if isinstance(obj, string_types):
|
if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
|
||||||
obj = to_text(obj, errors='surrogate_or_strict')
|
obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
|
||||||
return AnsibleUnsafeText(obj)
|
|
||||||
return obj
|
return obj
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue