From f1c4a954d568da8c0d635d846c99706c81d8be41 Mon Sep 17 00:00:00 2001
From: Bernhard Dick <bernhard@bdick.de>
Date: Wed, 30 Sep 2020 20:43:24 +0200
Subject: [PATCH] Close file descriptor of temporary file after building
 certificate chain (#71825)

* Close file descriptor of temporary file after building certificate chain.

* Add changelog fragment for PR71825
---
 .../71825-close-file-descriptor-after-building-cert-chaing.yml | 3 +++
 lib/ansible/module_utils/urls.py                               | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 changelogs/fragments/71825-close-file-descriptor-after-building-cert-chaing.yml

diff --git a/changelogs/fragments/71825-close-file-descriptor-after-building-cert-chaing.yml b/changelogs/fragments/71825-close-file-descriptor-after-building-cert-chaing.yml
new file mode 100644
index 00000000000..d17ba1df193
--- /dev/null
+++ b/changelogs/fragments/71825-close-file-descriptor-after-building-cert-chaing.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - urls - Close filedescriptor of certificate chain tempfile to prevent stale 
+    filedescriptor leakage (https://github.com/ansible/ansible/pull/71825).
diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py
index 2502df092bb..d5e87e21d57 100644
--- a/lib/ansible/module_utils/urls.py
+++ b/lib/ansible/module_utils/urls.py
@@ -900,6 +900,8 @@ class SSLValidationHandler(urllib_request.BaseHandler):
         if HAS_SSLCONTEXT:
             default_verify_paths = ssl.get_default_verify_paths()
             paths_checked[:0] = [default_verify_paths.capath]
+        else:
+            os.close(tmp_fd)
 
         return (tmp_path, cadata, paths_checked)