Additional security fixes for CVE-2016-9587

2025-07-02 14:40:19 -07:00 · 2017-01-12 09:40:19 -06:00 · 2017-01-12 09:40:19 -06:00 · b7cdc21aee
commit b7cdc21aee
parent f1ae2eb4f1
2 changed files with 59 additions and 10 deletions
--- a/lib/ansible/template/init.py
+++ b/lib/ansible/template/init.py
@ -324,7 +324,7 @@ class Templar:
        self._available_variables = variables
        self._cached_result       = {}

-    def template(self, variable, convert_bare=False, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None, convert_data=True, static_vars = [''], cache = True, bare_deprecated=True, disable_lookups=False):
+    def template(self, variable, convert_bare=False, preserve_trailing_newlines=True, escape_backslashes=True, fail_on_undefined=None, overrides=None, convert_data=True, static_vars=[''], cache=True, bare_deprecated=True, disable_lookups=False):
        '''
        Templates (possibly recursively) any given data as input. If convert_bare is
        set to True, the given data will be wrapped as a jinja2 variable ('{{foo}}')
@ -406,14 +406,26 @@ class Templar:
                return result

            elif isinstance(variable, (list, tuple)):
-                return [self.template(v, preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides) for v in variable]
+                return [self.template(
+                            v,
+                            preserve_trailing_newlines=preserve_trailing_newlines,
+                            fail_on_undefined=fail_on_undefined,
+                            overrides=overrides,
+                            disable_lookups=disable_lookups,
+                        ) for v in variable]
            elif isinstance(variable, dict):
                d = {}
                # we don't use iteritems() here to avoid problems if the underlying dict
                # changes sizes due to the templating, which can happen with hostvars
                for k in variable.keys():
                    if k not in static_vars:
-                        d[k] = self.template(variable[k], preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides)
+                        d[k] = self.template(
+                                   variable[k],
+                                   preserve_trailing_newlines=preserve_trailing_newlines,
+                                   fail_on_undefined=fail_on_undefined,
+                                   overrides=overrides,
+                                   disable_lookups=disable_lookups,
+                               )
                    else:
                        d[k] = variable[k]
                return d