[stable-2.6] Wrap CLI passwords as AnsibleUnsafeText (#63352) (#63393)

* [stable-2.6] Wrap CLI passwords as AnsibleUnsafeText (#63352) * isa string should rewrap as unsafe in get_validated_value * _is_unsafe shouldn't be concerned with underlying types * Start with passwords as text, instead of bytes * Remove unused imports * Add changelog fragment * Update changelog with CVE. (cherry picked from commit baeff7462d5d877b6849aa78f50860e7d10ce950) Co-authored-by: Matt Martz <matt@sivel.net> * Update tests
author: Matt Martz <matt@sivel.net> 2019-10-11 12:32:01 -0500
committer: Toshio Kuratomi <a.badger@gmail.com> 2019-10-11 10:32:00 -0700
commit: 16684f118715a52e1c46d437652add9ca36423de (patch)
tree: 9686e5cdf31c904a6e7562f01f5e3b6db380a282 /changelogs/fragments/dont-template-cli-passwords.yml
parent: d961f676c01023a6a21503df16ba551a550e515b (diff)
download: ansible-16684f118715a52e1c46d437652add9ca36423de.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/changelogs/fragments/dont-template-cli-passwords.yml b/changelogs/fragments/dont-template-cli-passwords.yml
new file mode 100644
index 0000000000..ddaccc07af
--- /dev/null
+++ b/changelogs/fragments/dont-template-cli-passwords.yml
@@ -0,0 +1,6 @@
+bugfixes:
+- >
+  **security issue** - Convert CLI provided passwords to text initially, to
+  prevent unsafe context being lost when converting from bytes->text during
+  post processing of PlayContext. This prevents CLI provided passwords from
+  being incorrectly templated (CVE-2019-14856)
author	Matt Martz <matt@sivel.net>	2019-10-11 12:32:01 -0500
committer	Toshio Kuratomi <a.badger@gmail.com>	2019-10-11 10:32:00 -0700
commit	16684f118715a52e1c46d437652add9ca36423de (patch)
tree	9686e5cdf31c904a6e7562f01f5e3b6db380a282 /changelogs/fragments/dont-template-cli-passwords.yml
parent	d961f676c01023a6a21503df16ba551a550e515b (diff)
download	ansible-16684f118715a52e1c46d437652add9ca36423de.tar.gz