Affected versions

Twig >1.0.0,1.44.7 || >2.0.0,2.15.3 || >3.0.0,3.4.3 are affected by this security issue.

The issue has been fixed in Twig 1.44.7, 2.15.3 and 3.4.3.

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

            <hr style="margin-bottom: 5px" />
            <div style="font-size: 90%">
                <a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
            </div>

https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Létrehozva 3y | 2022. szept. 28. 10:20:04

Jelentkezéshez jelentkezzen be

EGYÉB POSTS Ebben a csoportban

New in Symfony 7.3: Validator Improvements

Symfony 7.3 introduces several enhancements to the Validator component, focusing on developer experience, better configurability, and more expressive constraint definitions.

Allow to Disable Translat

2025. máj. 27. 8:30:20 | Symfony

New in Symfony 7.3: Serializer Improvements

Symfony 7.3 adds a new JsonStreamer component as a high-performance, low-memory JSON encoding and decoding utility. However, the Serializer component still has many valid use cases, even for JSON cont

2025. máj. 26. 9:20:09 | Symfony

Symfony 7.3.0-RC1 released

Symfony 7.3.0-RC1 has just been released. This is a pre-release version of Symfony 7.3. If you want to test it in your own applications before its final release, run the following commands:

2025. máj. 26. 0:10:10 | Symfony

A Week of Symfony #960 (May 19–25, 2025)

This week, development activity focused on putting the final touches on Symfony 7.3 in preparation for its stable release next week. In addition, we published a security fix for a potential vulnerabil

2025. máj. 25. 10:10:12 | Symfony

New in Symfony 7.3: New Bridges and Improved Integrations

Symfony's bridge packages integrate third-party services, such as mailers, notifiers, and translation providers, into Symfony applications. With more than 120 bridges available today, Symfony supports

2025. máj. 23. 9:30:04 | Symfony

New in Symfony 7.3: Messenger Improvements

Symfony Messenger component keeps evolving to meet the needs of complex, modern applications. In Symfony 7.3, we're introducing several powerful features to it.

Run Process Using the Shell… https://s

2025. máj. 22. 7:50:11 | Symfony

New in Symfony 7.3: Routing Improvements

The Routing component provides an impressive list of features to map incoming URLs to your application code. Symfony 7.3 pushes it even further with a set of new features that improve developer experi

2025. máj. 21. 11:10:07 | Symfony

Techie

Twig security release: Possibility to load a template outside a configured directory when using the filesystem loader

Affected versions

Description

Resolution

Credits

EGYÉB POSTS Ebben a csoportban