Split shell command to avoid use_unsafe_shell.

This mirrors a nearly identical change made to apt_repository.py. Also removes the use of apt-get --force-yes as it can be dangerous and should not be necessary (apt_repository.py does not use it). Repeating the explanation from the apt_respository change below: Since use_unsafe_shell is suspicious from a security point of view (or it wouldn't be unsafe), the less we have, the less code we have to thoroughly inspect for a security audit. In this case, the '&&' can be replaced by doing 2 calls to run_command.
2024-09-14 20:13:21 +02:00 · 2016-01-31 02:22:59 -08:00 · 2016-01-31 02:22:59 -08:00 · 53b0fd65ee
commit 53b0fd65ee
parent 75e8b365b4
1 changed files with 2 additions and 1 deletions
--- a/lib/ansible/modules/packaging/os/apt.py
+++ b/lib/ansible/modules/packaging/os/apt.py
@ -611,7 +611,8 @@ def main():
        if module.check_mode:
            module.fail_json(msg="python-apt must be installed to use check mode. If run normally this module can autoinstall it")
        try:
-            module.run_command('apt-get update && apt-get install python-apt -y -q --force-yes', use_unsafe_shell=True, check_rc=True)
+            module.run_command('apt-get update', check_rc=True)
+            module.run_command('apt-get install python-apt -y -q', check_rc=True)
            global apt, apt_pkg
            import apt
            import apt.debfile