split PS wrapper and payload (CVE-2018-16859) (#49142)

* prevent scriptblock logging from logging payload contents * added tests to verify no payload contents in PS Operational event log * fix script action to send split-aware wrapper * fix CLIXML error parser (return to -EncodedCommand exposed problems with it)
2025-04-26 04:11:25 -07:00 · 2018-11-26 15:28:21 -08:00 · 2018-11-26 15:28:21 -08:00 · 8c1f701e6e
commit 8c1f701e6e
parent e7104a445b
12 changed files with 91 additions and 30 deletions
--- a/lib/ansible/plugins/action/script.py
+++ b/lib/ansible/plugins/action/script.py
@ -127,14 +127,17 @@ class ActionModule(ActionBase):
            # PowerShell runs the script in a special wrapper to enable things
            # like become and environment args
            if self._connection._shell.SHELL_FAMILY == "powershell":
-                # FIXME: use a more public method to get the exec payload
+                # FUTURE: use a more public method to get the exec payload
                pc = self._play_context
                exec_data = ps_manifest._create_powershell_wrapper(
                    to_bytes(script_cmd), {}, env_dict, self._task.async_val,
                    pc.become, pc.become_method, pc.become_user,
                    pc.become_pass, pc.become_flags, substyle="script"
                )
-                script_cmd = "-"
+                # build the necessary exec wrapper command
+                # FUTURE: this still doesn't let script work on Windows with non-pipelined connections or
+                # full manual exec of KEEP_REMOTE_FILES
+                script_cmd = self._connection._shell.build_module_command(env_string='', shebang='#!powershell', cmd='')

            result.update(self._low_level_execute_command(cmd=script_cmd, in_data=exec_data, sudoable=True, chdir=chdir))