OVF: disable custom script execution by default

For security concern, we disable the custom script
by default.If a custom script is provided, stop
customization unless the custom script is explicitly
enabled by tools config.

2 files changed, 3 insertions, 3 deletions

diff --git a/cloudinit/sources/DataSourceOVF.py b/cloudinit/sources/DataSourceOVF.py
index e7794aab..896841e3 100644
--- a/cloudinit/sources/DataSourceOVF.py
+++ b/cloudinit/sources/DataSourceOVF.py
@@ -155,8 +155,8 @@ class DataSourceOVF(sources.DataSource):
                 custScriptConfig = get_tools_config(
                     CONFGROUPNAME_GUESTCUSTOMIZATION,
                     GUESTCUSTOMIZATION_ENABLE_CUST_SCRIPTS,
-                    "true")
-                if custScriptConfig.lower() == "false":
+                    "false")
+                if custScriptConfig.lower() != "true":
                     # Update the customization status if there is a
                     # custom script is disabled
                     if special_customization and customscript:
diff --git a/tests/unittests/test_datasource/test_ovf.py b/tests/unittests/test_datasource/test_ovf.py
index a615470a..a19c35c8 100644
--- a/tests/unittests/test_datasource/test_ovf.py
+++ b/tests/unittests/test_datasource/test_ovf.py
@@ -204,7 +204,7 @@ class TestDatasourceOVF(CiTestCase):
         customscript = self.tmp_path('test-script', self.tdir)
         util.write_file(customscript, "This is the post cust script")
 
-        with mock.patch(MPATH + 'get_tools_config', return_value='false'):
+        with mock.patch(MPATH + 'get_tools_config', return_value='invalid'):
             with mock.patch(MPATH + 'set_customization_status',
                             return_value=('msg', b'')):
                 with self.assertRaises(RuntimeError) as context: