diff options
| author | Brian Coca <bcoca@users.noreply.github.com> | 2021-06-11 17:43:09 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-11 16:43:09 -0500 |
| commit | 03aff644cc1c00e1f7551195c68fbd0d13a39e6e (patch) | |
| tree | b532a608c8bcde76484d56a37dae378aeaf8b3a3 /lib | |
| parent | 578fa17af58ae665cc652c530f1de6562659665c (diff) | |
| download | ansible-03aff644cc1c00e1f7551195c68fbd0d13a39e6e.tar.gz | |
fix unsafe preservation across newlines (#74960) (#74973)
CVE-2021-3583
ensure we always have unsafe
Co-authored-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 4c8c40fd3d4a58defdc80e7d22aa8d26b731353e)
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ansible/template/__init__.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py index 3a51fef2ad..aa011e7e22 100644 --- a/lib/ansible/template/__init__.py +++ b/lib/ansible/template/__init__.py @@ -1092,7 +1092,8 @@ class Templar: res = ansible_native_concat(rf) else: res = j2_concat(rf) - if getattr(new_context, 'unsafe', False): + unsafe = getattr(new_context, 'unsafe', False) + if unsafe: res = wrap_var(res) except TypeError as te: if 'AnsibleUndefined' in to_native(te): @@ -1122,6 +1123,8 @@ class Templar: res_newlines = _count_newlines_from_end(res) if data_newlines > res_newlines: res += self.environment.newline_sequence * (data_newlines - res_newlines) + if unsafe: + res = wrap_var(res) return res except (UndefinedError, AnsibleUndefinedVariable) as e: if fail_on_undefined: |