thanks for your fast reply!
Brian Coca:
> No, Ansible can only protect you so much, like in normal shell, you
> really want to quote variable input:
>
> `cat "{{fact123}}"` would work the same as when running a shell script
> `cat "$MYVAR"`
So you confirm that my example gives the remote server, remote code
execution on the ansible host, right?
Does using the 'command' module instead of the shell module kill this
entire attack possibility (besides always quoting vars) and would
therefore be a good preference over the shell module?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/56A3D0AE.8000901%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
