Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).
Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the
sourceorincludestatement to read arbitrary files from outside the templates directory when using a namespace like@somewhere/../some.file(in such a case, validation is bypassed).Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.