From: Fabien Potencier Date: Wed, 13 Jul 2022 14:52:38 +0200 Subject: Fix a security issue on filesystem loader (possibility to load a template outside a configured directory) Origin: upstream, https://github.com/twigphp/Twig/commit/f8009347c438bef22ef0603ab3d3ccb44bb10bed Bug: https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33 Bug-Debian: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b Bug-Debian: https://bugs.debian.org/1020991 --- src/Loader/FilesystemLoader.php | 4 ++-- tests/Loader/FilesystemTest.php | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/Loader/FilesystemLoader.php b/src/Loader/FilesystemLoader.php index 0971e09..ae95b7f 100644 --- a/src/Loader/FilesystemLoader.php +++ b/src/Loader/FilesystemLoader.php @@ -206,9 +206,9 @@ class FilesystemLoader implements LoaderInterface, ExistsLoaderInterface, Source } try { - $this->validateName($name); - list($namespace, $shortname) = $this->parseName($name); + + $this->validateName($shortname); } catch (LoaderError $e) { if (!$throw) { return false; diff --git a/tests/Loader/FilesystemTest.php b/tests/Loader/FilesystemTest.php index fe6779c..22e94fb 100644 --- a/tests/Loader/FilesystemTest.php +++ b/tests/Loader/FilesystemTest.php @@ -32,6 +32,7 @@ class FilesystemTest extends TestCase public function testSecurity($template) { $loader = new FilesystemLoader([__DIR__.'/../Fixtures']); + $loader->addPath(__DIR__.'/../Fixtures', 'foo'); try { $loader->getCacheKey($template); @@ -63,6 +64,10 @@ class FilesystemTest extends TestCase ['filters\\\\..\\\\..\\\\AutoloaderTest.php'], ['filters\\//../\\/\\..\\AutoloaderTest.php'], ['/../AutoloaderTest.php'], + ['@__main__/../AutoloaderTest.php'], + ['@foo/../AutoloaderTest.php'], + ['@__main__/../../AutoloaderTest.php'], + ['@foo/../../AutoloaderTest.php'], ]; }