From de40ac02a5cd4ac3bb758d4e284955763c013938 Mon Sep 17 00:00:00 2001 From: Zhikang Zhang Date: Thu, 5 Jul 2018 10:26:12 -0400 Subject: [PATCH] Make ansible doesn't parse template-like password in user's input (#42275) NOTE: 1. Use unsafe decorator but not builtin escape wrapper in jinja2 since ansible will try parse ssh password twice, the builtin escape wrapper will be removed during the first parse. 2. Use class AnsibleUnsafeText but not '!unsafe' syntax since passwords are not loaded by YAML env, '!unsafe' syntax doesn't work for them. --- lib/ansible/cli/__init__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index 380ddc4e2a4..dcffbe24998 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -38,6 +38,7 @@ from ansible.errors import AnsibleOptionsError, AnsibleError from ansible.inventory.manager import InventoryManager from ansible.module_utils.six import with_metaclass, string_types from ansible.module_utils._text import to_bytes, to_text +from ansible.utils.unsafe_proxy import AnsibleUnsafeText from ansible.parsing.dataloader import DataLoader from ansible.release import __version__ from ansible.utils.path import unfrackpath @@ -329,7 +330,7 @@ class CLI(with_metaclass(ABCMeta, object)): sshpass = getpass.getpass(prompt="SSH password: ") become_prompt = "%s password[defaults to SSH password]: " % become_prompt_method if sshpass: - sshpass = to_bytes(sshpass, errors='strict', nonstring='simplerepr') + sshpass = AnsibleUnsafeText(to_bytes(sshpass, errors='strict', nonstring='simplerepr')) else: become_prompt = "%s password: " % become_prompt_method @@ -338,7 +339,7 @@ class CLI(with_metaclass(ABCMeta, object)): if op.ask_pass and becomepass == '': becomepass = sshpass if becomepass: - becomepass = to_bytes(becomepass) + becomepass = AnsibleUnsafeText(to_bytes(becomepass)) except EOFError: pass