Fixing another corner case for security related to CVE-2016-9587

(cherry picked from commit bcceada5d9b78ad77069c78226f8e9b336ff8949)
author: Computest <anon@@computest.nl> 2017-01-10 16:51:40 -0600
committer: James Cammarata <jimi@sngx.net> 2017-01-11 15:53:37 -0600
commit: eb8c26c105e8457b86324b64a13fac37d8862d47 (patch)
tree: d1d66548fbd3d191c77fb2829c7839269176f5f3
parent: 240c388e6cfc0406035db5116b4bf826b9e045e2 (diff)
download: ansible-eb8c26c105e8457b86324b64a13fac37d8862d47.tar.gz
2 files changed, 9 insertions, 5 deletions
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py
index 4e24fbebfe..53b267543f 100644
--- a/lib/ansible/template/__init__.py
+++ b/lib/ansible/template/__init__.py
@@ -155,7 +155,7 @@ class AnsibleContext(Context):
         '''
         if isinstance(val, dict):
             for key in val.keys():
-                if self._is_unsafe(val[key]):
+                if self._is_unsafe(key) or self._is_unsafe(val[key]):
                     return True
         elif isinstance(val, list):
             for item in val:
@@ -392,11 +392,11 @@ class Templar:
                             fail_on_undefined=fail_on_undefined,
                             overrides=overrides,
                         )
-                        if convert_data and not self._no_type_regex.match(variable):
+                        unsafe = hasattr(result, '__UNSAFE__')
+                        if convert_data and not self._no_type_regex.match(variable) and not unsafe:
                             # if this looks like a dictionary or list, convert it to such using the safe_eval method
                             if (result.startswith("{") and not result.startswith(self.environment.variable_start_string)) or \
                                     result.startswith("[") or result in ("True", "False"):
-                                unsafe = hasattr(result, '__UNSAFE__')
                                 eval_results = safe_eval(result, locals=self._available_variables, include_exceptions=True)
                                 if eval_results[1] is None:
                                     result = eval_results[0]
diff --git a/lib/ansible/vars/unsafe_proxy.py b/lib/ansible/vars/unsafe_proxy.py
index 426410ab61..42847053c9 100644
--- a/lib/ansible/vars/unsafe_proxy.py
+++ b/lib/ansible/vars/unsafe_proxy.py
@@ -98,10 +98,14 @@ class AnsibleJSONUnsafeDecoder(json.JSONDecoder):
 
 
 def _wrap_dict(v):
+    # Create new dict to get rid of the keys that are not wrapped.
+    new = {}
     for k in v.keys():
         if v[k] is not None:
-            v[wrap_var(k)] = wrap_var(v[k])
-    return v
+            new[wrap_var(k)] = wrap_var(v[k])
+        else:
+            new[wrap_var(k)] = None
+    return new
 
 
 def _wrap_list(v):
author	Computest <anon@@computest.nl>	2017-01-10 16:51:40 -0600
committer	James Cammarata <jimi@sngx.net>	2017-01-11 15:53:37 -0600
commit	eb8c26c105e8457b86324b64a13fac37d8862d47 (patch)
tree	d1d66548fbd3d191c77fb2829c7839269176f5f3
parent	240c388e6cfc0406035db5116b4bf826b9e045e2 (diff)
download	ansible-eb8c26c105e8457b86324b64a13fac37d8862d47.tar.gz