Ensure discovery unsafe (#55295)
* Ensure safe discovery by marking it Unsafe
(cherry picked from commit 24b44e1772
)
This commit is contained in:
parent
6d8b124e16
commit
d73da98ecf
2 changed files with 6 additions and 3 deletions
3
changelogs/fragments/ensure_discovery_unsafe.yml
Normal file
3
changelogs/fragments/ensure_discovery_unsafe.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
bugfixes:
|
||||
- SECURITY Fixed the python interpreter detection, added in 2.8.0alpha1, to properly mark the returned data as untemplatable.
|
||||
This prevents a malicious managed machine from running code on the controller via templating.
|
|
@ -29,7 +29,7 @@ from ansible.module_utils._text import to_bytes, to_native, to_text
|
|||
from ansible.parsing.utils.jsonify import jsonify
|
||||
from ansible.release import __version__
|
||||
from ansible.utils.display import Display
|
||||
from ansible.utils.unsafe_proxy import wrap_var
|
||||
from ansible.utils.unsafe_proxy import wrap_var, AnsibleUnsafeText
|
||||
from ansible.vars.clean import remove_internal_keys
|
||||
|
||||
display = Display()
|
||||
|
@ -203,11 +203,11 @@ class ActionBase(with_metaclass(ABCMeta, object)):
|
|||
environment=final_environment)
|
||||
break
|
||||
except InterpreterDiscoveryRequiredError as idre:
|
||||
self._discovered_interpreter = discover_interpreter(
|
||||
self._discovered_interpreter = AnsibleUnsafeText(discover_interpreter(
|
||||
action=self,
|
||||
interpreter_name=idre.interpreter_name,
|
||||
discovery_mode=idre.discovery_mode,
|
||||
task_vars=task_vars)
|
||||
task_vars=task_vars))
|
||||
|
||||
# update the local task_vars with the discovered interpreter (which might be None);
|
||||
# we'll propagate back to the controller in the task result
|
||||
|
|
Loading…
Reference in a new issue