Affected versions

Twig >1.0.0,1.44.7 || >2.0.0,2.15.3 || >3.0.0,3.4.3 are affected by this security issue.

The issue has been fixed in Twig 1.44.7, 2.15.3 and 3.4.3.

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

            <hr style="margin-bottom: 5px" />
            <div style="font-size: 90%">
                <a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
            </div>

https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Létrehozva 3y | 2022. szept. 28. 10:20:04

Jelentkezéshez jelentkezzen be

EGYÉB POSTS Ebben a csoportban

A Week of Symfony #967 (July 7–13, 2025)

This week, Symfony unveiled the Symfony AI initiative, a set of components and bundles designed to bring powerful AI capabilities directly into your PHP applications. In addition, we published travel

2025. júl. 13. 9:20:11 | Symfony

Kicking off the Symfony AI Initiative

Today we are happy to announce a new Symfony initiative called Symfony AI - with the goal to provide a comprehensive set of components and bundles designed to bring powerful AI capabilities directly i

2025. júl. 11. 13:20:27 | Symfony

SymfonyCon Amsterdam 2025: Travel & Lodging Tips

SymfonyCon Amsterdam 2025, our next annual international Symfony conference, will take place on:

November 25 & 26: 2 workshops days with several topics to learn, practice and improve your skills

2025. júl. 11. 8:40:20 | Symfony

A Week of Symfony #966 (June 30 – July 6, 2025)

This week, development on the upcoming Symfony 8.0 version continued with the removal of deprecated features and the marking of several classes as final. In addition, we published two new case studies

2025. júl. 6. 8:10:15 | Symfony

Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6

At Wide, Micropole’s digital agency, they help leading brands modernize their digital infrastructures while ensuring scalability, security, and performance. When Audi France approached them to migrate

2025. júl. 4. 9:40:14 | Symfony

Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)

Vente-unique.com, a leading European online retailer of furniture and home decor, operates in 11 countries, powered by a team of 400 professionals and serving more than 3 million customers. From 15 ye

2025. júl. 2. 9:10:03 | Symfony

A Week of Symfony #965 (June 23–29, 2025)

This week, Symfony 6.4.23, 7.2.8 and 7.3.1 maintenance versions were released. Meanwhile, the upcoming Symfony 7.4 version continued adding new features such as better controller helpers, more precisi

2025. jún. 29. 9:10:15 | Symfony

Techie

Twig security release: Possibility to load a template outside a configured directory when using the filesystem loader

Affected versions

Description

Resolution

Credits

EGYÉB POSTS Ebben a csoportban