Merge branch '2.x' into 3.x

fabpot · fabpot · commit 2e8acd94ca00 · 2022-09-28T10:36:55.000+02:00
* 2.x:
  Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
diff --git a/src/Loader/FilesystemLoader.php b/src/Loader/FilesystemLoader.php
@@ -183,9 +183,9 @@ protected function findTemplate(string $name, bool $throw = true)
         }
 
         try {
-            $this->validateName($name);
-
             list($namespace, $shortname) = $this->parseName($name);
+
+            $this->validateName($shortname);
         } catch (LoaderError $e) {
             if (!$throw) {
                 return null;
diff --git a/tests/Loader/FilesystemTest.php b/tests/Loader/FilesystemTest.php
@@ -32,6 +32,7 @@ public function testGetSourceContext()
     public function testSecurity($template)
     {
         $loader = new FilesystemLoader([__DIR__.'/../Fixtures']);
+        $loader->addPath(__DIR__.'/../Fixtures', 'foo');
 
         try {
             $loader->getCacheKey($template);
@@ -63,6 +64,10 @@ public function getSecurityTests()
             ['filters\\\\..\\\\..\\\\AutoloaderTest.php'],
             ['filters\\//../\\/\\..\\AutoloaderTest.php'],
             ['/../AutoloaderTest.php'],
+            ['@__main__/../AutoloaderTest.php'],
+            ['@foo/../AutoloaderTest.php'],
+            ['@__main__/../../AutoloaderTest.php'],
+            ['@foo/../../AutoloaderTest.php'],
         ];
     }
 
