5260527c4a
* Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions |
||
---|---|---|
.. | ||
_vendor | ||
ansible_test | ||
cli | ||
compat | ||
config | ||
errors | ||
executor | ||
galaxy | ||
inventory | ||
inventory_test_data/group_vars | ||
mock | ||
module_utils | ||
modules | ||
parsing | ||
playbook | ||
plugins | ||
regex | ||
template | ||
utils | ||
vars | ||
__init__.py | ||
requirements.txt | ||
test_constants.py | ||
test_context.py |