Disallow use of remote home directories containing .. in their path (CVE-2019-3828) (#52133)

* Disallow use of remote home directories containing .. in their path * Add CVE to changelog
2026-05-06 13:22:48 +00:00 · 2019-02-13 10:38:28 -06:00
parent 9f081ca04f
commit b34d141eed
3 changed files with 44 additions and 23 deletions
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@@ -635,6 +635,9 @@ class ActionBase(with_metaclass(ABCMeta, object)):
        else:
            expanded = initial_fragment

+        if '..' in os.path.dirname(expanded).split('/'):
+            raise AnsibleError("'%s' returned an invalid relative home directory path containing '..'" % self._play_context.remote_addr)
+
        return expanded

    def _strip_success_message(self, data):