homebrew_cask: fix sudo_password failing with special characters (#11850)

* homebrew_cask: fix sudo_password with special characters in password The SUDO_ASKPASS script embedded the password inside single quotes, which breaks shell parsing whenever the password contains a single quote. Use a quoted heredoc (cat <<'SUDO_PASS') instead, which treats the content completely literally regardless of special characters. Also replace .file.close() with .flush() (correct semantics — flushes the write buffer without leaving the NamedTemporaryFile in a half-closed state) and remove the redundant add_cleanup_file() call (the context manager already deletes the file on exit). Fixes #4957 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * homebrew_cask: add changelog fragment for #11850 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * homebrew_cask: fix sudo_password example and clarify ansible_become_password Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * homebrew_cask: use shlex.quote() for sudo_password instead of heredoc shlex.quote() is the standard Python approach for shell-safe quoting and handles all special characters without the edge cases of heredocs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 11:19:00 +00:00 · 2026-04-17 23:51:45 +12:00 · 2026-04-17 23:51:45 +12:00 · f8869af65f
commit f8869af65f
parent c4ed3467b6
2 changed files with 10 additions and 5 deletions
--- a/plugins/modules/homebrew_cask.py
+++ b/plugins/modules/homebrew_cask.py
@ -141,14 +141,16 @@ EXAMPLES = r"""
    greedy: true

 - name: Using sudo password for installing cask
+  # ansible_become_password must be set in inventory or group_vars; it is not populated by -K
  community.general.homebrew_cask:
    name: wireshark
    state: present
-    sudo_password: "{{ ansible_become_pass }}"
+    sudo_password: "{{ ansible_become_password }}"
 """

 import os
 import re
+import shlex
 import tempfile

 from ansible.module_utils.basic import AnsibleModule
@ -480,14 +482,12 @@ class HomebrewCask:
        rc, out, err = "", "", ""

        with tempfile.NamedTemporaryFile() as sudo_askpass_file:
-            sudo_askpass_file.write(b"#!/bin/sh\n\necho '%s'\n" % to_bytes(self.sudo_password))
+            sudo_askpass_file.write(to_bytes(f"#!/bin/sh\necho {shlex.quote(self.sudo_password)}\n"))
+            sudo_askpass_file.flush()
            os.chmod(sudo_askpass_file.name, 0o700)
-            sudo_askpass_file.file.close()

            rc, out, err = self.module.run_command(cmd, environ_update={"SUDO_ASKPASS": sudo_askpass_file.name})

-            self.module.add_cleanup_file(sudo_askpass_file.name)
-
        return (rc, out, err)

    # /sudo_password fix --------------------- }}}