New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prevent templating of passwords from prompt #59246
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with this. We should look to expand UnsafeProxy
to support bytes natively in the future.
agreed, but since this is for backport i want to keep as simple as possible to avoid other side effects |
* prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8)
* prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8)
* prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8)
* prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8)
* prevent templating of passwords from prompt (#59246) * prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8) * Improve performane of UnsafeProxy __new__ This adds an early return to the __new__ method of the UnsafeProxy object which avoids creating the unsafe object if the incoming object is already unsafe. (cherry picked from commit c1e23c2) (cherry picked from commit 490f17c)
* prevent templating of passwords from prompt (#59246) * prevent templating of passwords from prompt fixes CVE-2019-10206 (cherry picked from commit e9a37f8) * Improve performane of UnsafeProxy __new__ This adds an early return to the __new__ method of the UnsafeProxy object which avoids creating the unsafe object if the incoming object is already unsafe. (cherry picked from commit c1e23c2) (cherry picked from commit 490f17c)
So
hello{{world
is now a valid password at the promptfixes CVE-2019-10206
ISSUE TYPE
COMPONENT NAME
core