From 03aff644cc1c00e1f7551195c68fbd0d13a39e6e Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Fri, 11 Jun 2021 17:43:09 -0400
Subject: fix unsafe preservation across newlines (#74960) (#74973)

  CVE-2021-3583
  ensure we always have unsafe

Co-authored-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 4c8c40fd3d4a58defdc80e7d22aa8d26b731353e)
---
 test/integration/targets/template/runme.sh   |  4 ++++
 test/integration/targets/template/unsafe.yml | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 test/integration/targets/template/unsafe.yml

(limited to 'test/integration/targets/template')

diff --git a/test/integration/targets/template/runme.sh b/test/integration/targets/template/runme.sh
index cb00df754d..1b4e980e5b 100755
--- a/test/integration/targets/template/runme.sh
+++ b/test/integration/targets/template/runme.sh
@@ -34,3 +34,7 @@ ansible-playbook 6653.yml -v "$@"
 
 # https://github.com/ansible/ansible/issues/72262
 ansible-playbook 72262.yml -v "$@"
+
+# ensure unsafe is preserved, even with extra newlines
+ansible-playbook unsafe.yml -v "$@"
+
diff --git a/test/integration/targets/template/unsafe.yml b/test/integration/targets/template/unsafe.yml
new file mode 100644
index 0000000000..6746e1ea0c
--- /dev/null
+++ b/test/integration/targets/template/unsafe.yml
@@ -0,0 +1,19 @@
+- hosts: localhost
+  gather_facts: false
+  vars:
+    nottemplated: this should not be seen
+    imunsafe: !unsafe '{{ nottemplated }}'
+  tasks:
+
+    - set_fact:
+        this_was_unsafe: >
+          {{ imunsafe }}
+
+    - set_fact:
+          this_always_safe: '{{ imunsafe }}'
+
+    - name: ensure nothing was templated
+      assert:
+        that:
+        - this_always_safe == imunsafe
+        - imunsafe == this_was_unsafe.strip()
-- 
cgit v1.2.1