fixed fetch traversal from slurp (#68720)

* fixed fetch traversal from slurp * ignore slurp result for dest * fixed naming when source is relative * fixed bug in local connection plugin * added tests with fake slurp * moved existing role tests into runme.sh * normalized on action excepts * moved dest transform down to when needed * added is_subpath check * fixed bug in local connection fixes #67793 CVE-2019-3828 (cherry picked from commit ba87c225cd13343c35075fe7fc15b4cf1343fed6)
author: Brian Coca <bcoca@users.noreply.github.com> 2020-04-08 14:28:51 -0400
committer: Matt Clay <matt@mystile.com> 2020-04-15 12:47:55 -0700
commit: 3c484831f87035db7eeb7ed405f905c134b56a53 (patch)
tree: 3b8b2009266847eb5ab7fbe0425609035168d7c5 /changelogs
parent: ef32a5bf96a89107986375516285253c1380d7ef (diff)
download: ansible-3c484831f87035db7eeb7ed405f905c134b56a53.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/changelogs/fragments/fetch_no_slurp.yml b/changelogs/fragments/fetch_no_slurp.yml
new file mode 100644
index 0000000000..c742d40c3b
--- /dev/null
+++ b/changelogs/fragments/fetch_no_slurp.yml
@@ -0,0 +1,2 @@
+bugfixes:
+    - In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2019-3828.
author	Brian Coca <bcoca@users.noreply.github.com>	2020-04-08 14:28:51 -0400
committer	Matt Clay <matt@mystile.com>	2020-04-15 12:47:55 -0700
commit	3c484831f87035db7eeb7ed405f905c134b56a53 (patch)
tree	3b8b2009266847eb5ab7fbe0425609035168d7c5 /changelogs
parent	ef32a5bf96a89107986375516285253c1380d7ef (diff)
download	ansible-3c484831f87035db7eeb7ed405f905c134b56a53.tar.gz