From efdcb8c6f4b941b523ba846061cec2affbad871c Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien.potencier@gmail.com>
Date: Tue, 14 Dec 2010 14:36:45 +0100
Subject: [PATCH] fixed security check in filesystem loader

---
 lib/Twig/Loader/Filesystem.php            |   16 ++++++++---
 test/Twig/Tests/Loader/Filesystem.php     |   39 ----------------------------
 test/Twig/Tests/Loader/FilesystemTest.php |   40 +++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 44 deletions(-)
 delete mode 100644 test/Twig/Tests/Loader/Filesystem.php
 create mode 100644 test/Twig/Tests/Loader/FilesystemTest.php

diff --git a/lib/Twig/Loader/Filesystem.php b/lib/Twig/Loader/Filesystem.php
index e733da4..7fb2b7d 100644
--- a/lib/Twig/Loader/Filesystem.php
+++ b/lib/Twig/Loader/Filesystem.php
@@ -104,12 +104,18 @@ class Twig_Loader_Filesystem implements Twig_LoaderInterface
         // normalize name
         $name = str_replace('\\', '/', $name);
 
-        // remove ./
-        $name = preg_replace('#(^|/)\./(\./)*#', '$1', $name);
+        $parts = explode('/', $name);
+        $level = 0;
+        foreach ($parts as $part) {
+            if ('..' === $part) {
+                --$level;
+            } elseif ('.' !== $part) {
+                ++$level;
+            }
 
-        // security check (a name cannot start with ../)
-        if ('..' === substr($name, 0, 2)) {
-            throw new Twig_Error_Loader('Looks like you try to load a template outside configured directories.');
+            if ($level < 0) {
+                throw new Twig_Error_Loader('Looks like you try to load a template outside configured directories.');
+            }
         }
 
         if (isset($this->cache[$name])) {
diff --git a/test/Twig/Tests/Loader/Filesystem.php b/test/Twig/Tests/Loader/Filesystem.php
deleted file mode 100644
index caf0d68..0000000
--- a/test/Twig/Tests/Loader/Filesystem.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/*
- * This file is part of Twig.
- *
- * (c) Fabien Potencier
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase
-{
-    /**
-     * @dataProvider getSecurityTests
-     * @expectedException Twig_Error_Loader
-     */
-    public function testSecurity($template)
-    {
-        $loader = new Twig_Loader_Filesystem(array(__DIR__.'/../Fixtures'));
-        $loader->getCacheKey($template);
-    }
-
-    public function getSecurityTests()
-    {
-        return array(
-            array('..\\AutoloaderTest.php'),
-            array('../AutoloaderTest.php'),
-            array('./../AutoloaderTest.php'),
-            array('.\\..\\AutoloaderTest.php'),
-            array('././././././../AutoloaderTest.php'),
-            array('.\\./.\\./.\\./../AutoloaderTest.php'),
-            array('foo/../../AutoloaderTest.php'),
-            array('foo\\..\\..\\AutoloaderTest.php'),
-            array('foo/../bar/../../AutoloaderTest.php'),
-            array('foo/bar/../../../AutoloaderTest.php'),
-        );
-    }
-}
diff --git a/test/Twig/Tests/Loader/FilesystemTest.php b/test/Twig/Tests/Loader/FilesystemTest.php
new file mode 100644
index 0000000..a539686
--- /dev/null
+++ b/test/Twig/Tests/Loader/FilesystemTest.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of Twig.
+ *
+ * (c) Fabien Potencier
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+class Twig_Tests_Loader_FilesystemTest extends PHPUnit_Framework_TestCase
+{
+    /**
+     * @dataProvider getSecurityTests
+     * @expectedException Twig_Error_Loader
+     */
+    public function testSecurity($template)
+    {
+        $loader = new Twig_Loader_Filesystem(array(__DIR__.'/../Fixtures'));
+        $loader->getCacheKey($template);
+    }
+
+    public function getSecurityTests()
+    {
+        return array(
+            array('..\\AutoloaderTest.php'),
+            array('../AutoloaderTest.php'),
+            array('./../AutoloaderTest.php'),
+            array('.\\..\\AutoloaderTest.php'),
+            array('././././././../AutoloaderTest.php'),
+            array('.\\./.\\./.\\./../AutoloaderTest.php'),
+            array('foo/../../AutoloaderTest.php'),
+            array('foo\\..\\..\\AutoloaderTest.php'),
+            array('foo/../bar/../../AutoloaderTest.php'),
+            array('foo/bar/../../../AutoloaderTest.php'),
+            array('filters/../../AutoloaderTest.php'),
+        );
+    }
+}
-- 
1.7.2.5