ansible

History

James Cammarata ed56f51f18 Fixing security issue with lookup returns not tainting the jinja2 environment CVE-2017-7481 Lookup returns wrap the result in unsafe, however when used through the standard templar engine, this does not result in the jinja2 environment being marked as unsafe as a whole. This means the lookup result looses the unsafe protection and may become simple unicode strings, which can result in bad things being re-templated. This also adds a global lookup param and cfg options for lookups to allow unsafe returns, so users can force the previous (insecure) behavior.	2017-05-08 12:43:46 -05:00
..
ansible	Fixing security issue with lookup returns not tainting the jinja2 environment	2017-05-08 12:43:46 -05:00

James Cammarata ed56f51f18 Fixing security issue with lookup returns not tainting the jinja2 environment

CVE-2017-7481

Lookup returns wrap the result in unsafe, however when used through the
standard templar engine, this does not result in the jinja2 environment being
marked as unsafe as a whole. This means the lookup result looses the unsafe
protection and may become simple unicode strings, which can result in bad
things being re-templated.

This also adds a global lookup param and cfg options for lookups to allow
unsafe returns, so users can force the previous (insecure) behavior.

2017-05-08 12:43:46 -05:00

ansible

Fixing security issue with lookup returns not tainting the jinja2 environment

2017-05-08 12:43:46 -05:00