New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_etnry #67866
Conversation
|
The test |
| @@ -42,7 +42,10 @@ Command Line | |||
| Deprecated | |||
| ========== | |||
|
|
|||
| No notable changes | |||
| - The ``params`` module option in ldap_attr and ldap_entry are deprecated on a short cycle (to be | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with the shorter cycle from a community point of view
| # Update module parameters with user's parameters if defined | ||
| if 'params' in module.params and isinstance(module.params['params'], dict): | ||
| # For Ansible-2.9.x and below, allow the params module parameter with a warning | ||
| if LooseVersion(module.ansible_version) < LooseVersion('2.10'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this so the same code can be backported to previous Ansible releases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. we removed params from yum_repository and jenkins_plugin on a short cycle before but didn't backport the changes. Since this is a security issue, we should backport it. I tried to make the change do less for 2.9 and earlier (only disallowing bind_pw usage).
|
The test |
04de173
to
afa1a47
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just some docs nits. I changed 'via' to 'with' but you could use 'through' instead if you think that reads better. We're trying to avoid Latin as it causes translation problems.
cc687fe
to
30ded80
Compare
|
@felixfontein (Maybe @drybjed ) Does this look okay to you? |
|
@abadger Looks good to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
I also tested that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs portion LGTM
Module options that circumvent Ansible's option handling were disallowed in: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Additionally, this particular usage can be insecure if bind_pw is set this way as the password could end up in a logfile or displayed on stdout. Fixes CVE-2020-1746
| # However, the bind_pw parameter contains a password so it **must** go through the normal | ||
| # argument parsing even though removing it breaks backwards compat. | ||
| if 'bind_pw' in module.params['params']: | ||
| module.fail_json("Using `bind_pw` with the `params` option has been disallowed since" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fail_json requires a msg keyword argument. Needs to be updated for the other places fail_json was added too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doh.... I'll fix that here and also open an issue to change that behaviour in fail_json. It's a mandatory parameter so there's no reason it shouldn't be accessible as a positional arg too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix pushed
|
This was updated for community.general in ansible-collections/community.general#113. The three backports are linked above. @abadger If you have a chance to review those I'd appreciate it. |
Fix for CVE-2020-1746
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
ISSUE TYPE
COMPONENT NAME