Hi!
I'm not sending this in as a security issue, as I don't think there are
playbooks like that in the wild.
If I understood the changes in 1.6.7+ properly, they were about
protecting against injecting arguments like this:
- set_fact:
foo: 'bar" mode="0666'
- copy: content="{{ foo }}" dest=/etc/somesecret
But it seems it's still possible to create playbooks that are not safe
against argument injection:
- set_fact:
foo: 'bar\n", "mode": "0666'
- copy: ""
args: '{ "content": "{{ foo }}", "dest": "/tmp/foo" }'
Is it by accident, or is templating the whole args dictionary considered
too funky to be used (and so, to secure)?
---
Tomasz Kontusz
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/53EA74A7.8050205%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
