From: Fabien Potencier Date: Tue, 14 Dec 2010 16:24:03 +0000 (+0100) Subject: made some tweak to the security check for the filesystem loader X-Git-Url: http://git.silmor.de/gitweb/?a=commitdiff_plain;h=9e5b2becf4b908cc43f152d542f6fd11c6fcecb6;p=web%2Fkonrad%2Ftwig.git made some tweak to the security check for the filesystem loader --- diff --git a/lib/Twig/Loader/Filesystem.php b/lib/Twig/Loader/Filesystem.php index 7fb2b7d..6ec0dfb 100644 --- a/lib/Twig/Loader/Filesystem.php +++ b/lib/Twig/Loader/Filesystem.php @@ -102,7 +102,7 @@ class Twig_Loader_Filesystem implements Twig_LoaderInterface protected function findTemplate($name) { // normalize name - $name = str_replace('\\', '/', $name); + $name = preg_replace('#(/+|\\+)#', '/', str_replace('\\', '/', $name)); $parts = explode('/', $name); $level = 0; diff --git a/test/Twig/Tests/Loader/FilesystemTest.php b/test/Twig/Tests/Loader/FilesystemTest.php index a539686..30d0c4d 100644 --- a/test/Twig/Tests/Loader/FilesystemTest.php +++ b/test/Twig/Tests/Loader/FilesystemTest.php @@ -25,7 +25,9 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase { return array( array('..\\AutoloaderTest.php'), + array('..\\\\\\AutoloaderTest.php'), array('../AutoloaderTest.php'), + array('..////AutoloaderTest.php'), array('./../AutoloaderTest.php'), array('.\\..\\AutoloaderTest.php'), array('././././././../AutoloaderTest.php'), @@ -35,6 +37,10 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase array('foo/../bar/../../AutoloaderTest.php'), array('foo/bar/../../../AutoloaderTest.php'), array('filters/../../AutoloaderTest.php'), + array('filters//..//..//AutoloaderTest.php'), + array('filters\\..\\..\\AutoloaderTest.php'), + array('filters\\\\..\\\\..\\\\AutoloaderTest.php'), + array('filters\\//../\\/\\..\\AutoloaderTest.php'), ); } }