Additional fixes for security related to CVE-2016-9587

2025-07-22 12:50:22 -07:00 · 2017-01-10 16:54:00 -06:00 · 2017-01-10 16:54:00 -06:00 · d316068831
commit d316068831
parent bcceada5d9
2 changed files with 19 additions and 19 deletions
--- a/lib/ansible/playbook/conditional.py
+++ b/lib/ansible/playbook/conditional.py
@ -117,7 +117,7 @@ class Conditional:
        if conditional is None or conditional == '':
            return True

-        if conditional in all_vars and '-' not in text_type(all_vars[conditional]):
+        if conditional in all_vars and re.match("^[_A-Za-z][_a-zA-Z0-9]*$", conditional):
            conditional = all_vars[conditional]

        # make sure the templar is using the variables specified with this method
@ -129,12 +129,12 @@ class Conditional:
                return conditional

            # a Jinja2 evaluation that results in something Python can eval!
-            if hasattr(conditional, '__UNSAFE__') and LOOKUP_REGEX.match(conditional):
-                raise AnsibleError("The conditional '%s' contains variables which came from an unsafe " \
-                                   "source and also contains a lookup() call, failing conditional check" % conditional)
+            disable_lookups = False
+            if hasattr(conditional, '__UNSAFE__'):
+                disable_lookups = True

            presented = "{%% if %s %%} True {%% else %%} False {%% endif %%}" % conditional
-            val = templar.template(presented).strip()
+            val = templar.template(presented, disable_lookups=disable_lookups).strip()
            if val == "True":
                return True
            elif val == "False":