diff options
| author | Martin Krizek <martin.krizek@gmail.com> | 2023-05-05 16:18:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-05 16:18:35 +0200 |
| commit | 932abc0711f05b6f91af1dfce0061c848e4165a0 (patch) | |
| tree | bea47179823692ded46cec7f78e501300d85bb89 | |
| parent | cdeb607b1d01af4d8dd652bf7117a442fcd9b229 (diff) | |
| download | ansible-932abc0711f05b6f91af1dfce0061c848e4165a0.tar.gz | |
Prevent setting arbitrary attrs on Jinja2 envs via overrides (#80715)
| -rw-r--r-- | changelogs/fragments/no-arbitrary-j2-override.yml | 2 | ||||
| -rw-r--r-- | lib/ansible/template/__init__.py | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/changelogs/fragments/no-arbitrary-j2-override.yml b/changelogs/fragments/no-arbitrary-j2-override.yml new file mode 100644 index 0000000000..c2fcf1c565 --- /dev/null +++ b/changelogs/fragments/no-arbitrary-j2-override.yml @@ -0,0 +1,2 @@ +bugfixes: + - templating - prevent setting arbitrary attributes on Jinja2 environments via Jinja2 overrides in templates diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index f08cfcebb7..f389b16939 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -932,7 +932,10 @@ class Templar: " Did you use something different from colon as key-value separator?" % pair.strip()) (key, val) = pair.split(':', 1) key = key.strip() - setattr(myenv, key, ast.literal_eval(val.strip())) + if hasattr(myenv, key): + setattr(myenv, key, ast.literal_eval(val.strip())) + else: + display.warning(f"Could not find Jinja2 environment setting to override: '{key}'") if escape_backslashes: # Allow users to specify backslashes in playbooks as "\\" instead of as "\\\\". |