[bp-2.10] get_url - Allow checksum file to be local file:// (#75052)

This would be a partial solution for #69364 in that the
SHASUMS file can be downloaded and gpg verified but then
used from the downloaded location to verify the get_url's file.

* Make checksum url parsing more explicit

Use urlsplit to test if the checksum string has a (currently tested and) supported url scheme.

(cherry picked from commit eb8b3a8479ec82ad622f86ac46f3e9cc083952b8)

Co-authored-by: Edwin Hermans <edwin@madtech.cx>

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/ansible/modules/get_url.py b/lib/ansible/modules/get_url.py
index 9036b35438..501704034e 100644
--- a/lib/ansible/modules/get_url.py
+++ b/lib/ansible/modules/get_url.py
@@ -416,6 +416,14 @@ def extract_filename_from_headers(headers):
     return res
 
 
+def is_url(checksum):
+    """
+    Returns True if checksum value has supported URL scheme, else False."""
+    supported_schemes = ('http', 'https', 'ftp', 'file')
+
+    return urlsplit(checksum).scheme in supported_schemes
+
+
 # ==============================================================
 # main
 
@@ -487,7 +495,7 @@ def main():
         except ValueError:
             module.fail_json(msg="The checksum parameter has to be in format <algorithm>:<checksum>", **result)
 
-        if checksum.startswith('http://') or checksum.startswith('https://') or checksum.startswith('ftp://'):
+        if is_url(checksum):
             checksum_url = checksum
             # download checksum file to checksum_tmpsrc
             checksum_tmpsrc, checksum_info = url_get(module, checksum_url, dest, use_proxy, last_mod_time, force, timeout, headers, tmp_dest)