security #cve- Fix a security issue on filesystem loader (possibility to load a template outside a configured directory) (fabpot)

This PR was merged into the 1.x branch.

Author: fabpot

src/Loader/FilesystemLoader.php

@@ -221,9 +221,9 @@ protected function findTemplate($name)
         }
 
         try {
-            $this->validateName($name);
-
             list($namespace, $shortname) = $this->parseName($name);
+
+            $this->validateName($shortname);
         } catch (LoaderError $e) {
             if (!$throw) {
                 return false;

tests/Loader/FilesystemTest.php

@@ -31,6 +31,7 @@ public function testGetSourceContext()
     public function testSecurity($template)
     {
         $loader = new FilesystemLoader([__DIR__.'/../Fixtures']);
+        $loader->addPath(__DIR__.'/../Fixtures', 'foo');
 
         try {
             $loader->getCacheKey($template);
@@ -62,6 +63,10 @@ public function getSecurityTests()
             ['filters\\\\..\\\\..\\\\AutoloaderTest.php'],
             ['filters\\//../\\/\\..\\AutoloaderTest.php'],
             ['/../AutoloaderTest.php'],
+            ['@__main__/../AutoloaderTest.php'],
+            ['@foo/../AutoloaderTest.php'],
+            ['@__main__/../../AutoloaderTest.php'],
+            ['@foo/../../AutoloaderTest.php'],
         ];
     }