Make ansible doesn't parse template-like password in user's input (#42275)

NOTE: 1. Use unsafe decorator but not builtin escape wrapper in jinja2 since ansible will try parse ssh password twice, the builtin escape wrapper will be removed during the first parse. 2. Use class AnsibleUnsafeText but not '!unsafe' syntax since passwords are not loaded by YAML env, '!unsafe' syntax doesn't work for them.
6 years ago · de40ac02a5
parent d962611528
commit de40ac02a5
1 changed files with 3 additions and 2 deletions
--- a/lib/ansible/cli/init.py
+++ b/lib/ansible/cli/init.py
@ -38,6 +38,7 @@ from ansible.errors import AnsibleOptionsError, AnsibleError
 from ansible.inventory.manager import InventoryManager
 from ansible.module_utils.six import with_metaclass, string_types
 from ansible.module_utils._text import to_bytes, to_text
+from ansible.utils.unsafe_proxy import AnsibleUnsafeText
 from ansible.parsing.dataloader import DataLoader
 from ansible.release import __version__
 from ansible.utils.path import unfrackpath
@ -329,7 +330,7 @@ class CLI(with_metaclass(ABCMeta, object)):
                sshpass = getpass.getpass(prompt="SSH password: ")
                become_prompt = "%s password[defaults to SSH password]: " % become_prompt_method
                if sshpass:
-                    sshpass = to_bytes(sshpass, errors='strict', nonstring='simplerepr')
+                    sshpass = AnsibleUnsafeText(to_bytes(sshpass, errors='strict', nonstring='simplerepr'))
            else:
                become_prompt = "%s password: " % become_prompt_method

@ -338,7 +339,7 @@ class CLI(with_metaclass(ABCMeta, object)):
                if op.ask_pass and becomepass == '':
                    becomepass = sshpass
                if becomepass:
-                    becomepass = to_bytes(becomepass)
+                    becomepass = AnsibleUnsafeText(to_bytes(becomepass))
        except EOFError:
            pass