Prevent setting arbitrary attrs on Jinja2 envs via overrides (#80715)

pull/80728/head^2
Martin Krizek 2 years ago committed by GitHub
parent cdeb607b1d
commit 932abc0711
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,2 @@
bugfixes:
- templating - prevent setting arbitrary attributes on Jinja2 environments via Jinja2 overrides in templates

@ -932,7 +932,10 @@ class Templar:
" Did you use something different from colon as key-value separator?" % pair.strip()) " Did you use something different from colon as key-value separator?" % pair.strip())
(key, val) = pair.split(':', 1) (key, val) = pair.split(':', 1)
key = key.strip() key = key.strip()
if hasattr(myenv, key):
setattr(myenv, key, ast.literal_eval(val.strip())) setattr(myenv, key, ast.literal_eval(val.strip()))
else:
display.warning(f"Could not find Jinja2 environment setting to override: '{key}'")
if escape_backslashes: if escape_backslashes:
# Allow users to specify backslashes in playbooks as "\\" instead of as "\\\\". # Allow users to specify backslashes in playbooks as "\\" instead of as "\\\\".

Loading…
Cancel
Save