From 91242b8cc317755c95c65a0a6b9e0b7ad1c4fc22 Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <a.badger@gmail.com>
Date: Wed, 4 Jan 2017 14:31:13 -0800
Subject: [PATCH] Leave a comment that .format() can lead to security risks

Couldn't find any code that does this now but left a comment so that we
don't change something in the future without seeing that it could be
a problem.
---
 lib/ansible/constants.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py
index 88eb42f831..4938395cc1 100644
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -323,6 +323,10 @@ MAX_FILE_SIZE_FOR_DIFF         = get_config(p, DEFAULTS, 'max_diff_size', 'ANSIB
 # CONNECTION RELATED
 USE_PERSISTENT_CONNECTIONS     = get_config(p, DEFAULTS, 'use_persistent_connections', 'ANSIBLE_USE_PERSISTENT_CONNECTIONS', False, value_type='boolean')
 ANSIBLE_SSH_ARGS               = get_config(p, 'ssh_connection', 'ssh_args', 'ANSIBLE_SSH_ARGS', '-C -o ControlMaster=auto -o ControlPersist=60s')
+### WARNING: Someone might be tempted to switch this from percent-formatting
+# to .format() in the future.  be sure to read this:
+# http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ and understand
+# that it may be a security risk to do so.
 ANSIBLE_SSH_CONTROL_PATH       = get_config(p, 'ssh_connection', 'control_path', 'ANSIBLE_SSH_CONTROL_PATH', u"%(directory)s/ansible-ssh-%%h-%%p-%%r")
 ANSIBLE_SSH_CONTROL_PATH_DIR   = get_config(p, 'ssh_connection', 'control_path_dir', 'ANSIBLE_SSH_CONTROL_PATH_DIR', u'~/.ansible/cp')
 ANSIBLE_SSH_PIPELINING         = get_config(p, 'ssh_connection', 'pipelining', 'ANSIBLE_SSH_PIPELINING', False, value_type='boolean')