Hi Tomasz, All security fixes are intended to be resolved as of 1.7.10, not 1.6.7.
These issues were about injection of new parameters, not the fact that a particular value can be templated, especially one like content (which is useful and intentional). If you think you have discovered something new, please contact us at [email protected] and we can agree on details and a release date. Please see our security policy at http://www.ansible.com/security for information about reporting details. Let's discuss there ([email protected]) to avoid leaking a potential exploit, should you think you have one, which right now, I'm not seeing enough detail to see one. Thank you! On Tue, Aug 12, 2014 at 4:10 PM, Tomasz Kontusz <[email protected]> wrote: > Hi! > I'm not sending this in as a security issue, as I don't think there are > playbooks like that in the wild. > > If I understood the changes in 1.6.7+ properly, they were about protecting > against injecting arguments like this: > > - set_fact: > foo: 'bar" mode="0666' > - copy: content="{{ foo }}" dest=/etc/somesecret > > But it seems it's still possible to create playbooks that are not safe > against argument injection: > > - set_fact: > foo: 'bar\n", "mode": "0666' > - copy: "" > args: '{ "content": "{{ foo }}", "dest": "/tmp/foo" }' > > Is it by accident, or is templating the whole args dictionary considered > too funky to be used (and so, to secure)? > > --- > Tomasz Kontusz > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/ansible-project/53EA74A7.8050205%40gmail.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgwUZ_1aj6hfqv4JTN3_s6my%2B5SRak%3D3dcj5xVppVTuBLA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
