Fixed twig filesystemloader security issue + test (closes #1026)

author Rick Prent <rprent@hostnet.nl>

Fri, 8 Mar 2013 13:16:10 +0000 (14:16 +0100)

committer Fabien Potencier <fabien.potencier@gmail.com>

Mon, 8 Apr 2013 12:15:31 +0000 (14:15 +0200)
author Rick Prent <rprent@hostnet.nl>
Fri, 8 Mar 2013 13:16:10 +0000 (14:16 +0100)
committer Fabien Potencier <fabien.potencier@gmail.com>
Mon, 8 Apr 2013 12:15:31 +0000 (14:15 +0200)
diff --git a/lib/Twig/Loader/Filesystem.php b/lib/Twig/Loader/Filesystem.php

index faf27e3..84a5e03 100644 (file)
--- a/lib/Twig/Loader/Filesystem.php
+++ b/lib/Twig/Loader/Filesystem.php
@@ -203,6 +203,7 @@ class Twig_Loader_Filesystem implements Twig_LoaderInterface, Twig_ExistsLoaderI
             throw new Twig_Error_Loader('A template name cannot contain NUL bytes.');
         }
 
+        $name = ltrim($name, '/');
         $parts = explode('/', $name);
         $level = 0;
         foreach ($parts as $part) {
diff --git a/test/Twig/Tests/Loader/FilesystemTest.php b/test/Twig/Tests/Loader/FilesystemTest.php

index 9ea2d0e..798e994 100644 (file)
--- a/test/Twig/Tests/Loader/FilesystemTest.php
+++ b/test/Twig/Tests/Loader/FilesystemTest.php
@@ -47,6 +47,7 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase
             array('filters\\..\\..\\AutoloaderTest.php'),
             array('filters\\\\..\\\\..\\\\AutoloaderTest.php'),
             array('filters\\//../\\/\\..\\AutoloaderTest.php'),
+            array('/../AutoloaderTest.php'),
         );
     }
author	Rick Prent <rprent@hostnet.nl>
	Fri, 8 Mar 2013 13:16:10 +0000 (14:16 +0100)
committer	Fabien Potencier <fabien.potencier@gmail.com>
	Mon, 8 Apr 2013 12:15:31 +0000 (14:15 +0200)
lib/Twig/Loader/Filesystem.php		patch \| blob \| history
test/Twig/Tests/Loader/FilesystemTest.php		patch \| blob \| history