Skip to content
This repository
Browse code

Fixed twig filesystemloader security issue + test (closes #1026)

  • Loading branch information...
commit 3d19a2eed53570776af313593aaeb5ad62cf4980 1 parent 481abb8
Rick Prent authored committed
1  lib/Twig/Loader/Filesystem.php
@@ -203,6 +203,7 @@ protected function validateName($name)
203 203 throw new Twig_Error_Loader('A template name cannot contain NUL bytes.');
204 204 }
205 205
  206 + $name = ltrim($name, '/');
206 207 $parts = explode('/', $name);
207 208 $level = 0;
208 209 foreach ($parts as $part) {
1  test/Twig/Tests/Loader/FilesystemTest.php
@@ -47,6 +47,7 @@ public function getSecurityTests()
47 47 array('filters\\..\\..\\AutoloaderTest.php'),
48 48 array('filters\\\\..\\\\..\\\\AutoloaderTest.php'),
49 49 array('filters\\//../\\/\\..\\AutoloaderTest.php'),
  50 + array('/../AutoloaderTest.php'),
50 51 );
51 52 }
52 53

0 comments on commit 3d19a2e

Please sign in to comment.
Something went wrong with that request. Please try again.