diff options
| author | Brian Coca <bcoca@users.noreply.github.com> | 2020-04-08 14:28:51 -0400 |
|---|---|---|
| committer | Matt Clay <matt@mystile.com> | 2020-04-15 12:47:35 -0700 |
| commit | 290bfa820d533dc224e0c3fa7dd7c6b907ed0189 (patch) | |
| tree | f8b6eebbc4b3f287ad86bbac5746461fa84ffe7f /lib/ansible/utils | |
| parent | 685a4b6d3ff72186d2b4ffce73172a5446a71ccc (diff) | |
| download | ansible-290bfa820d533dc224e0c3fa7dd7c6b907ed0189.tar.gz | |
fixed fetch traversal from slurp (#68720)
* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* fixed bug in local connection plugin
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
* fixed bug in local connection
fixes #67793
CVE-2019-3828
(cherry picked from commit ba87c225cd13343c35075fe7fc15b4cf1343fed6)
Diffstat (limited to 'lib/ansible/utils')
| -rw-r--r-- | lib/ansible/utils/path.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/lib/ansible/utils/path.py b/lib/ansible/utils/path.py index 05649db79a..df2769fbf0 100644 --- a/lib/ansible/utils/path.py +++ b/lib/ansible/utils/path.py @@ -132,3 +132,26 @@ def cleanup_tmp_file(path, warn=False): display.display(u'Unable to remove temporary file {0}'.format(to_text(e))) except Exception: pass + + +def is_subpath(child, parent): + """ + Compares paths to check if one is contained in the other + :arg: child: Path to test + :arg parent; Path to test against + """ + test = False + + abs_child = unfrackpath(child, follow=False) + abs_parent = unfrackpath(parent, follow=False) + + c = abs_child.split(os.path.sep) + p = abs_parent.split(os.path.sep) + + try: + test = c[:len(p)] == p + except IndexError: + # child is shorter than parent so cannot be subpath + pass + + return test |