From 9e5b2becf4b908cc43f152d542f6fd11c6fcecb6 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Tue, 14 Dec 2010 17:24:03 +0100 Subject: [PATCH] made some tweak to the security check for the filesystem loader --- lib/Twig/Loader/Filesystem.php | 2 +- test/Twig/Tests/Loader/FilesystemTest.php | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/lib/Twig/Loader/Filesystem.php b/lib/Twig/Loader/Filesystem.php index 7fb2b7d..6ec0dfb 100644 --- a/lib/Twig/Loader/Filesystem.php +++ b/lib/Twig/Loader/Filesystem.php @@ -102,7 +102,7 @@ class Twig_Loader_Filesystem implements Twig_LoaderInterface protected function findTemplate($name) { // normalize name - $name = str_replace('\\', '/', $name); + $name = preg_replace('#(/+|\\+)#', '/', str_replace('\\', '/', $name)); $parts = explode('/', $name); $level = 0; diff --git a/test/Twig/Tests/Loader/FilesystemTest.php b/test/Twig/Tests/Loader/FilesystemTest.php index a539686..30d0c4d 100644 --- a/test/Twig/Tests/Loader/FilesystemTest.php +++ b/test/Twig/Tests/Loader/FilesystemTest.php @@ -25,7 +25,9 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase { return array( array('..\\AutoloaderTest.php'), + array('..\\\\\\AutoloaderTest.php'), array('../AutoloaderTest.php'), + array('..////AutoloaderTest.php'), array('./../AutoloaderTest.php'), array('.\\..\\AutoloaderTest.php'), array('././././././../AutoloaderTest.php'), @@ -35,6 +37,10 @@ class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase array('foo/../bar/../../AutoloaderTest.php'), array('foo/bar/../../../AutoloaderTest.php'), array('filters/../../AutoloaderTest.php'), + array('filters//..//..//AutoloaderTest.php'), + array('filters\\..\\..\\AutoloaderTest.php'), + array('filters\\\\..\\\\..\\\\AutoloaderTest.php'), + array('filters\\//../\\/\\..\\AutoloaderTest.php'), ); } } -- 1.7.2.5