Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prevent ansible_facts injection #68431

Merged
merged 1 commit into from Mar 24, 2020
Merged

prevent ansible_facts injection #68431

merged 1 commit into from Mar 24, 2020

Conversation

bcoca
Copy link
Member

@bcoca bcoca commented Mar 24, 2020

  • also only replace when needed
  • switched from replace to index
  • added test to verify bogus_facts are not accepted

CVE-2020-10684

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

facts

@bcoca
prevent ansible_facts injection
e26374d 
 - also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted
@ansibot
Copy link
Contributor

ansibot commented Mar 24, 2020

cc @mattclay @tremble
click here for bot help

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests. labels Mar 24, 2020
@bcoca bcoca added the P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed label Mar 24, 2020
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Mar 24, 2020
@bcoca bcoca merged commit a9d2cea into ansible:devel Mar 24, 2020
@bcoca bcoca deleted the af_clean branch March 24, 2020 19:47
bcoca added a commit to bcoca/ansible that referenced this pull request Mar 24, 2020
@bcoca
prevent ansible_facts injection (ansible#68431)
c322fd2 
- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)
bcoca added a commit to bcoca/ansible that referenced this pull request Mar 24, 2020
@bcoca
prevent ansible_facts injection (ansible#68431)
e0824fc 
- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)
bcoca added a commit to bcoca/ansible that referenced this pull request Mar 24, 2020
@bcoca
prevent ansible_facts injection (ansible#68431)
8294470 
- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)
@lilongjiang1
Copy link

@mattclay when will we publish the fix ,any schedule?

This was referenced Mar 31, 2020
Merged
Merged
Merged
mattclay pushed a commit that referenced this pull request Apr 15, 2020
@bcoca @mattclay
prevent ansible_facts injection (#68431)
0b4788a 
- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)
mattclay pushed a commit that referenced this pull request Apr 15, 2020
@bcoca
prevent ansible_facts injection (#68431) (#68445)
5eabf7b 
* prevent ansible_facts injection (#68431)

- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)

* added to ignore
mattclay pushed a commit that referenced this pull request Apr 15, 2020
@bcoca
prevent ansible_facts injection (#68431) (#68446)
1d0d264 
* prevent ansible_facts injection (#68431)

- also only replace when needed
 - switched from replace to index
 - added test to verify bogus_facts are not accepted

CVE-2020-10684

(cherry picked from commit a9d2cea)

* add to ignore
@ansible ansible locked and limited conversation to collaborators Apr 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattclay mattclay mattclay left review comments

Assignees
No one assigned
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bcoca @ansibot @lilongjiang1 @mattclay