ansible/changelogs/fragments/dont-template-cli-passwords.yml
Matt Martz 7f4befdea7
Wrap CLI Passwords with AnsibleUnsafeText, ensure unsafe context is not lost during encode/decode (#63351)
* Wrap .encode and .decode on AnsibleUnsafe objects

* runme.sh needs to be executable

* ci_complete

* Update changelog with CVE
2019-10-11 09:17:10 -05:00

12 lines
609 B
YAML

bugfixes:
- >
**security issue** - Convert CLI provided passwords to text initially, to
prevent unsafe context being lost when converting from bytes->text during
post processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
- >
**security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
removing the unsafe wrapper when converting between string types
(CVE-2019-14856)