[2.14] Fix installing roles containing symlinks (#82911) #83139
+51
−90
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Fix installing roles containing symlinks Fix sanitizing tarfile symlinks relative to the link directory instead of the archive For example: role ├── handlers │ └── utils.yml -> ../tasks/utils/suite.yml The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role role/handlers/../tasks/utils/suite.yml the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml * Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent. * Build test case from role files to make it easier to add test cases Fixes ansible#82702 Fixes ansible#81965 Fixes ansible#82051 (cherry picked from commit e84240d)
ansibot
added
bug
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
ansibot
removed
the
needs_ci
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
This may not be mergeable, but opening it for consideration for any branches affected by 3a42a00 which was a follow-up to a security fix (ddf0311). I would also be happy with just reverting 3a42a00 if that's an option.
Fix sanitizing tarfile symlinks relative to the link directory instead of the archive
For example:
role
├── handlers
│ └── utils.yml -> ../tasks/utils/suite.yml
The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role
role/handlers/../tasks/utils/suite.yml
the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml
Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent.
Build test case from role files to make it easier to add test cases
Fixes #82702
Fixes #81965
Fixes #82051
(cherry picked from commit e84240d)
ISSUE TYPE