|
|
|
|
|
|
by rarrrrrr
3436 days ago
|
|
|
Odd. I reported this very same form of vulnerability to the Ansible team in the 1.5.4 series in 2014, where the code basically eval'd the "facts" discovered from a system under management. There was this "safe_eval" function which filtered input in a way quite inconsistent with its name. The Ansible team was responsive and pleasant to work with. https://groups.google.com/forum/#!topic/ansible-project/MUQx... But I suspect lots of remote control and monitoring software products might have security bugs like this where they assume that the returned information from systems under management are trustworthy. Edit to add: Here's the patch made to safe_eval. I had suggested using literal_eval instead but I think they didn't want to require Python 2.6+.
https://github.com/ansible/ansible/commit/998793fd0ab55705d5... |
|
|