Merge branch '2.x' into 3.x

* 2.x: Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
twigphp · Sep 28, 2022 · 2e8acd9 · 2e8acd9
2 parents be33323 + d6ea14a
commit 2e8acd9
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/src/Loader/FilesystemLoader.php b/src/Loader/FilesystemLoader.php
@@ -183,9 +183,9 @@ protected function findTemplate(string $name, bool $throw = true)
         }
 
         try {
-            $this->validateName($name);
-
             list($namespace, $shortname) = $this->parseName($name);
+
+            $this->validateName($shortname);
         } catch (LoaderError $e) {
             if (!$throw) {
                 return null;

diff --git a/tests/Loader/FilesystemTest.php b/tests/Loader/FilesystemTest.php
@@ -32,6 +32,7 @@ public function testGetSourceContext()
     public function testSecurity($template)
     {
         $loader = new FilesystemLoader([__DIR__.'/../Fixtures']);
+        $loader->addPath(__DIR__.'/../Fixtures', 'foo');
 
         try {
             $loader->getCacheKey($template);
@@ -63,6 +64,10 @@ public function getSecurityTests()
             ['filters\\\\..\\\\..\\\\AutoloaderTest.php'],
             ['filters\\//../\\/\\..\\AutoloaderTest.php'],
             ['/../AutoloaderTest.php'],
+            ['@__main__/../AutoloaderTest.php'],
+            ['@foo/../AutoloaderTest.php'],
+            ['@__main__/../../AutoloaderTest.php'],
+            ['@foo/../../AutoloaderTest.php'],
         ];
     }