From 53b0fd65ee078fc8ceaf692d20f7337ce0b56a92 Mon Sep 17 00:00:00 2001 From: Matt Clay Date: Sun, 31 Jan 2016 02:22:59 -0800 Subject: [PATCH] Split shell command to avoid use_unsafe_shell. This mirrors a nearly identical change made to apt_repository.py. Also removes the use of apt-get --force-yes as it can be dangerous and should not be necessary (apt_repository.py does not use it). Repeating the explanation from the apt_respository change below: Since use_unsafe_shell is suspicious from a security point of view (or it wouldn't be unsafe), the less we have, the less code we have to thoroughly inspect for a security audit. In this case, the '&&' can be replaced by doing 2 calls to run_command. --- lib/ansible/modules/packaging/os/apt.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/ansible/modules/packaging/os/apt.py b/lib/ansible/modules/packaging/os/apt.py index 2220d2d9cf..8fd24e204f 100644 --- a/lib/ansible/modules/packaging/os/apt.py +++ b/lib/ansible/modules/packaging/os/apt.py @@ -611,7 +611,8 @@ def main(): if module.check_mode: module.fail_json(msg="python-apt must be installed to use check mode. If run normally this module can autoinstall it") try: - module.run_command('apt-get update && apt-get install python-apt -y -q --force-yes', use_unsafe_shell=True, check_rc=True) + module.run_command('apt-get update', check_rc=True) + module.run_command('apt-get install python-apt -y -q', check_rc=True) global apt, apt_pkg import apt import apt.debfile