The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
variable called $string in scope prevents templates from working
|Affected Puppet version:||0.24.7||Branch:||https://github.com/puppetlabs/puppet/pull/1446|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
% FACTER_string="foo" puppet -e 'notice(inline_template("<%= Time.now %>"))' notice: Scope(Class[main]): foo
Probably because https://github.com/puppetlabs/puppet/blob/master/lib/puppet/parser/templatewrapper.rb#L90-99 will overwrite the @string in the class
tested against 2.6.x and master
#3 Updated by Anonymous about 3 years ago
- Status changed from Duplicate to In Topic Branch Pending Review
- Branch set to https://github.com/puppetlabs/puppet/pull/1445
Although this looks like the same thing as #14094, it is actually a different problem. This bug means that the actual template used is wrong (it ends up coming from the
$string variable), whereas the other bug points out that there are unanticipated effects from collisions between ruby methods and variables.
A fix for this one can be found in https://github.com/puppetlabs/puppet/pull/1445
I mis-named my branch when I had the wrong bug number.
#4 Updated by Anonymous about 3 years ago
- Branch changed from https://github.com/puppetlabs/puppet/pull/1445 to https://github.com/puppetlabs/puppet/pull/1446
#5 Updated by Anonymous about 3 years ago
- Category set to templates
- Status changed from In Topic Branch Pending Review to Merged - Pending Release
- Target version set to 3.2.0
Merged into master as 432850fb74813eded3036f861e05d9266289c16c.
This should be released in 3.2.0.
Thanks again for the contribution!
#11 Updated by konrad rzentarzewski about 3 years ago
altough attack surface is limited to authenticated agents (usually root is required on agent, but there may be many root accounts on development boxes) remote code exploit is quite trivial and you might consider keeping it private unless people patch themselves.