Affected versions
Twig >1.0.0,1.44.7 || >2.0.0,2.15.3 || >3.0.0,3.4.3 are affected by this security issue.
The issue has been fixed in Twig 1.44.7, 2.15.3 and 3.4.3.
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).
Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
<hr style="margin-bottom: 5px" />
<div style="font-size: 90%">
<a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
</div>Zaloguj się, aby dodać komentarz
Inne posty w tej grupie
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here. 🚨 Enjoy the last few days bef
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here. 🚨 Tod
Symfony 6.4.19 has just been released. Here is the list of the most important changes since 6.4.18:
bug #59198 [Messenger] Filter out non-consumable receivers when registering ConsumeMessagesComm
Symfony 7.2.4 has just been released. Here is the list of the most important changes since 7.2.3:
bug #59198 [Messenger] Filter out non-consumable receivers when registering ConsumeMessagesComman
SymfonyLive Paris 2025, conference in French language only, will already start in 1 month with the workshops! Have a look on the topics and join us! Schedule details are available here.
📣
A few weeks ago, I had the pleasure of announcing the formation of the Symfony UX Core Team, a dedicated group working to enhance the frontend development experience within the Symfony ecosystem. Toda
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
Al
