From f46c943d3d3320eef9655c167022498240e30253 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Thu, 23 Aug 2018 19:22:58 -0700 Subject: [PATCH] Fix another corner case of too many warnings for world readable current working directory There should be no warning if there is no ansible.cfg file i nthe current working directory. --- .../more-world-readable-warning-skips.yaml | 7 ++++++ lib/ansible/config/manager.py | 8 ++++-- .../manager/test_find_ini_config_file.py | 25 +++++++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/more-world-readable-warning-skips.yaml diff --git a/changelogs/fragments/more-world-readable-warning-skips.yaml b/changelogs/fragments/more-world-readable-warning-skips.yaml new file mode 100644 index 0000000000..1987db5d90 --- /dev/null +++ b/changelogs/fragments/more-world-readable-warning-skips.yaml @@ -0,0 +1,7 @@ +--- +bugfixes: +- The fix for `CVE-2018-10875 `_ + prints out a warning message about skipping a config file from a world + writable current working directory. However, if the user is in a world + writable current working directory which does not contain a config file, it + should not print a warning message. This release fixes that extaneous warning. diff --git a/lib/ansible/config/manager.py b/lib/ansible/config/manager.py index 7d02053555..ab0db12926 100644 --- a/lib/ansible/config/manager.py +++ b/lib/ansible/config/manager.py @@ -176,10 +176,14 @@ def find_ini_config_file(warnings=None): try: cwd = os.getcwd() perms = os.stat(cwd) + cwd_cfg = os.path.join(cwd, "ansible.cfg") if perms.st_mode & stat.S_IWOTH: - warn_cmd_public = True + # Working directory is world writable so we'll skip it. + # Still have to look for a file here, though, so that we know if we have to warn + if os.path.exists(cwd_cfg): + warn_cmd_public = True else: - potential_paths.append(os.path.join(cwd, "ansible.cfg")) + potential_paths.append(cwd_cfg) except OSError: # If we can't access cwd, we'll simply skip it as a possible config source pass diff --git a/test/units/config/manager/test_find_ini_config_file.py b/test/units/config/manager/test_find_ini_config_file.py index f8f3d72c23..262adcfc32 100644 --- a/test/units/config/manager/test_find_ini_config_file.py +++ b/test/units/config/manager/test_find_ini_config_file.py @@ -144,6 +144,31 @@ class TestFindIniFile: assert find_ini_config_file(warnings) is None assert warnings == set() + # ANSIBLE_CONFIG not specified + @pytest.mark.parametrize('setup_env', [[None]], indirect=['setup_env']) + # All config files are present except in cwd + @pytest.mark.parametrize('setup_existing_files', + [[('/etc/ansible/ansible.cfg', cfg_in_homedir, cfg_file, alt_cfg_file)]], + indirect=['setup_existing_files']) + def test_no_cwd_cfg_no_warning_on_writable(self, setup_env, setup_existing_files, monkeypatch): + """If the cwd is writable but there is no config file there, move on with no warning""" + real_stat = os.stat + + def _os_stat(path): + if path == working_dir: + from posix import stat_result + stat_info = list(real_stat(path)) + stat_info[stat.ST_MODE] |= stat.S_IWOTH + return stat_result(stat_info) + else: + return real_stat(path) + + monkeypatch.setattr('os.stat', _os_stat) + + warnings = set() + assert find_ini_config_file(warnings) == cfg_in_homedir + assert len(warnings) == 0 + # ANSIBLE_CONFIG not specified @pytest.mark.parametrize('setup_env', [[None]], indirect=['setup_env']) # All config files are present