Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prevent templating of passwords from prompt #59246

Merged
merged 3 commits into from Jul 24, 2019
Merged

prevent templating of passwords from prompt #59246

merged 3 commits into from Jul 24, 2019

Conversation

bcoca
Copy link
Member

@bcoca bcoca commented Jul 18, 2019
edited

So hello{{world is now a valid password at the prompt

fixes CVE-2019-10206

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

core

@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. needs_triage Needs a first human triage before being processed. small_patch support:core This issue/PR relates to code supported by the Ansible Engineering Team. support:community This issue/PR relates to code supported by the Ansible community. and removed small_patch labels Jul 18, 2019
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Jul 18, 2019
mkrizek
mkrizek reviewed Jul 24, 2019
View reviewed changes
Copy link
Contributor

@mkrizek mkrizek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ansibot ansibot added shipit This PR is ready to be merged by Core and removed core_review In order to be merged, this PR must follow the core review workflow. labels Jul 24, 2019
s-hertel
s-hertel reviewed Jul 24, 2019
View reviewed changes
Copy link
Contributor

@s-hertel s-hertel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit

sivel
sivel requested changes Jul 24, 2019
View reviewed changes
lib/ansible/cli/__init__.py Outdated Show resolved Hide resolved
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed shipit This PR is ready to be merged by Core labels Jul 24, 2019
sivel
sivel approved these changes Jul 24, 2019
View reviewed changes
Copy link
Member

@sivel sivel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with this. We should look to expand UnsafeProxy to support bytes natively in the future.

@bcoca
Copy link
Member Author

bcoca commented Jul 24, 2019

agreed, but since this is for backport i want to keep as simple as possible to avoid other side effects

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Jul 24, 2019
@bcoca bcoca merged commit e9a37f8 into ansible:devel Jul 24, 2019
@bcoca bcoca deleted the unsafe_passwords branch July 24, 2019 20:00
bcoca added a commit to bcoca/ansible that referenced this pull request Jul 24, 2019
@bcoca
prevent templating of passwords from prompt (ansible#59246)
7138a35 
* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)
bcoca added a commit to bcoca/ansible that referenced this pull request Jul 24, 2019
@bcoca
prevent templating of passwords from prompt (ansible#59246)
e8aead6 
* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)
bcoca added a commit to bcoca/ansible that referenced this pull request Jul 24, 2019
@bcoca
prevent templating of passwords from prompt (ansible#59246)
d0f7adc 
* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)
abadger pushed a commit that referenced this pull request Aug 7, 2019
@bcoca @abadger
prevent templating of passwords from prompt (#59246)
d39488e 
* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)
abadger pushed a commit that referenced this pull request Aug 13, 2019
@bcoca @abadger
prevent templating of passwords from prompt (#59246) (#59554)
4b5aed4 
* prevent templating of passwords from prompt (#59246)

* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)

* Improve performane of UnsafeProxy __new__

This adds an early return to the __new__ method of the UnsafeProxy object
which avoids creating the unsafe object if the incoming object is already
unsafe.

(cherry picked from commit c1e23c2)
(cherry picked from commit 490f17c)
abadger pushed a commit that referenced this pull request Aug 13, 2019
@bcoca @abadger
prevent templating of passwords from prompt (#59246) (#59553)
d728127 
* prevent templating of passwords from prompt (#59246)

* prevent templating of passwords from prompt

  fixes CVE-2019-10206

(cherry picked from commit e9a37f8)

* Improve performane of UnsafeProxy __new__

This adds an early return to the __new__ method of the UnsafeProxy object
which avoids creating the unsafe object if the incoming object is already
unsafe.

(cherry picked from commit c1e23c2)
(cherry picked from commit 490f17c)
@ansible ansible locked and limited conversation to collaborators Aug 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mkrizek mkrizek mkrizek left review comments

@s-hertel s-hertel s-hertel left review comments

@sivel sivel sivel approved these changes

Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bcoca @sivel @mkrizek @s-hertel @ansibot