made some tweak to the security check for the filesystem loader

diff --git a/lib/Twig/Loader/Filesystem.php b/lib/Twig/Loader/Filesystem.php
index 7fb2b7d..6ec0dfb 100644 (file)
--- a/lib/Twig/Loader/Filesystem.php
+++ b/lib/Twig/Loader/Filesystem.php
@@ -102,7 +102,7 @@ class Twig_Loader_Filesystem implements Twig_LoaderInterface
     protected function findTemplate($name)
     {
         // normalize name
-        $name = str_replace('\\', '/', $name);
+        $name = preg_replace('#(/+|\\+)#', '/', str_replace('\\', '/', $name));
 
         $parts = explode('/', $name);
         $level = 0;

diff --git a/test/Twig/Tests/Loader/FilesystemTest.php b/test/Twig/Tests/Loader/FilesystemTest.php
index a539686..30d0c4d 100644 (file)
--- a/test/Twig/Tests/Loader/FilesystemTest.php
+++ b/test/Twig/Tests/Loader/FilesystemTest.php
@@ -25,7 +25,9 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase
     {
         return array(
             array('..\\AutoloaderTest.php'),
+            array('..\\\\\\AutoloaderTest.php'),
             array('../AutoloaderTest.php'),
+            array('..////AutoloaderTest.php'),
             array('./../AutoloaderTest.php'),
             array('.\\..\\AutoloaderTest.php'),
             array('././././././../AutoloaderTest.php'),
@@ -35,6 +37,10 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase
             array('foo/../bar/../../AutoloaderTest.php'),
             array('foo/bar/../../../AutoloaderTest.php'),
             array('filters/../../AutoloaderTest.php'),
+            array('filters//..//..//AutoloaderTest.php'),
+            array('filters\\..\\..\\AutoloaderTest.php'),
+            array('filters\\\\..\\\\..\\\\AutoloaderTest.php'),
+            array('filters\\//../\\/\\..\\AutoloaderTest.php'),
         );
     }
 }