Slight correction, when I say 1.7.10 above, I mean 1.7.0.
On Tue, Aug 12, 2014 at 4:42 PM, Michael DeHaan <[email protected]> wrote: > Hi Tomasz, > > All security fixes are intended to be resolved as of 1.7.10, not 1.6.7. > > These issues were about injection of new parameters, not the fact that a > particular value can be templated, especially one like content (which is > useful and intentional). > > If you think you have discovered something new, please contact us at > [email protected] and we can agree on details and a release date. > > Please see our security policy at http://www.ansible.com/security for > information about reporting details. > > Let's discuss there ([email protected]) to avoid leaking a potential > exploit, should you think you have one, which right now, I'm not seeing > enough detail to see one. > > Thank you! > > > > > > > > > On Tue, Aug 12, 2014 at 4:10 PM, Tomasz Kontusz <[email protected]> > wrote: > >> Hi! >> I'm not sending this in as a security issue, as I don't think there are >> playbooks like that in the wild. >> >> If I understood the changes in 1.6.7+ properly, they were about >> protecting against injecting arguments like this: >> >> - set_fact: >> foo: 'bar" mode="0666' >> - copy: content="{{ foo }}" dest=/etc/somesecret >> >> But it seems it's still possible to create playbooks that are not safe >> against argument injection: >> >> - set_fact: >> foo: 'bar\n", "mode": "0666' >> - copy: "" >> args: '{ "content": "{{ foo }}", "dest": "/tmp/foo" }' >> >> Is it by accident, or is templating the whole args dictionary considered >> too funky to be used (and so, to secure)? >> >> --- >> Tomasz Kontusz >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ >> msgid/ansible-project/53EA74A7.8050205%40gmail.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzS8VxB-XDfuV_%3D_yhk1sj4dcKBh_U6Xgta-90Lyz5Z-A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
