The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #14093

variable called $string in scope prevents templates from working

Added by R.I. Pienaar about 4 years ago. Updated about 3 years ago.

Status:ClosedStart date:04/19/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:templates
Target version:3.1.1
Affected Puppet version:0.24.7 Branch:https://github.com/puppetlabs/puppet/pull/1446
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

% FACTER_string="foo" puppet -e 'notice(inline_template("<%= Time.now %>"))'
notice: Scope(Class[main]): foo

Probably because https://github.com/puppetlabs/puppet/blob/master/lib/puppet/parser/templatewrapper.rb#L90-99 will overwrite the @string in the class

tested against 2.6.x and master

History

#1 Updated by Anonymous about 4 years ago

  • Status changed from Unreviewed to Accepted

#2 Updated by eric sorenson about 3 years ago

  • Status changed from Accepted to Duplicate

Dup of the next sequential bug, which is a more complete description of the problem.

#3 Updated by Anonymous about 3 years ago

  • Status changed from Duplicate to In Topic Branch Pending Review
  • Branch set to https://github.com/puppetlabs/puppet/pull/1445

Although this looks like the same thing as #14094, it is actually a different problem. This bug means that the actual template used is wrong (it ends up coming from the $string variable), whereas the other bug points out that there are unanticipated effects from collisions between ruby methods and variables.

A fix for this one can be found in https://github.com/puppetlabs/puppet/pull/1445

I mis-named my branch when I had the wrong bug number.

#4 Updated by Anonymous about 3 years ago

  • Branch changed from https://github.com/puppetlabs/puppet/pull/1445 to https://github.com/puppetlabs/puppet/pull/1446

Mislabeled the previous PR. It was marked for #14094, but does not address that. It only addresses this bug.

https://github.com/puppetlabs/puppet/pull/1446

#5 Updated by Anonymous about 3 years ago

  • Category set to templates
  • Status changed from In Topic Branch Pending Review to Merged - Pending Release
  • Target version set to 3.2.0

Merged into master as 432850fb74813eded3036f861e05d9266289c16c.

This should be released in 3.2.0.

Thanks again for the contribution!

-Jeff

#6 Updated by Josh Cooper about 3 years ago

  • Private changed from No to Yes

merged in security/3.1.0 in b26af91
merged in security/2.7.20 in 00756ae
merged in secuirty/2.6.17 in 7207951

#7 Updated by Josh Cooper about 3 years ago

  • Affected Puppet version set to 0.24.7

This issue was introduced in 0.24.7 in commit cc45c435

#8 Updated by Josh Cooper about 3 years ago

  • Target version changed from 3.2.0 to 3.1.1

#9 Updated by Matthaus Owens about 3 years ago

  • Status changed from Merged - Pending Release to Closed

Released in Puppet 3.1.1, 2.7.21, 2.6.18

#10 Updated by Matthaus Owens about 3 years ago

  • Private changed from Yes to No

#11 Updated by konrad rzentarzewski about 3 years ago

altough attack surface is limited to authenticated agents (usually root is required on agent, but there may be many root accounts on development boxes) remote code exploit is quite trivial and you might consider keeping it private unless people patch themselves.

Also available in: Atom PDF