Split shell command to avoid use_unsafe_shell.

This mirrors a nearly identical change made to apt_repository.py.

Also removes the use of apt-get --force-yes as it can be dangerous
and should not be necessary (apt_repository.py does not use it).

Repeating the explanation from the apt_respository change below:

Since use_unsafe_shell is suspicious from a security point
of view (or it wouldn't be unsafe), the less we have, the less
code we have to thoroughly inspect for a security audit.

In this case, the '&&' can be replaced by doing 2 calls to run_command.
This commit is contained in:
Matt Clay 2016-01-31 02:22:59 -08:00
parent 75e8b365b4
commit 53b0fd65ee

View file

@ -611,7 +611,8 @@ def main():
if module.check_mode:
module.fail_json(msg="python-apt must be installed to use check mode. If run normally this module can autoinstall it")
try:
module.run_command('apt-get update && apt-get install python-apt -y -q --force-yes', use_unsafe_shell=True, check_rc=True)
module.run_command('apt-get update', check_rc=True)
module.run_command('apt-get install python-apt -y -q', check_rc=True)
global apt, apt_pkg
import apt
import apt.debfile