@ -101,10 +101,15 @@ class Conditional:
elif conditional == " " :
elif conditional == " " :
return False
return False
# If the result of the first-pass template render (to resolve inline templates) is marked unsafe,
# explicitly disable lookups on the final pass to prevent evaluation of untrusted content in the
# constructed template.
disable_lookups = hasattr ( conditional , ' __UNSAFE__ ' )
# NOTE The spaces around True and False are intentional to short-circuit literal_eval for
# NOTE The spaces around True and False are intentional to short-circuit literal_eval for
# jinja2_native=False and avoid its expensive calls.
# jinja2_native=False and avoid its expensive calls.
return templar . template (
return templar . template (
" { %% if %s %% } True { %% else %% } False { %% endif %% } " % conditional
" { %% if %s %% } True { %% else %% } False { %% endif %% } " % conditional ,
) . strip ( ) == " True "
disable_lookups = disable_lookups ) . strip ( ) == " True "
except AnsibleUndefinedVariable as e :
except AnsibleUndefinedVariable as e :
raise AnsibleUndefinedVariable ( " error while evaluating conditional ( %s ): %s " % ( original , e ) )
raise AnsibleUndefinedVariable ( " error while evaluating conditional ( %s ): %s " % ( original , e ) )