niftycent.com
NiftyCent
SK
Prihlásiť sa
Marketplace
Zľavy

Twig security release: Possibility to load a template outside a configured directory when using the filesystem loader

Affected versions

Twig >1.0.0,1.44.7 || >2.0.0,2.15.3 || >3.0.0,3.4.3 are affected by this security issue.

The issue has been fixed in Twig 1.44.7, 2.15.3 and 3.4.3.

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

            <hr style="margin-bottom: 5px" />
            <div style="font-size: 90%">
                <a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
            </div>

https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Vytvorené 3y | 28. 9. 2022, 10:20:04


Ak chcete pridať komentár, prihláste sa

Ostatné príspevky v tejto skupine

Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)
Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)

Vente-unique.com, a leading European online retailer of furniture and home decor, operates in 11 countries, powered by a team of 400 professionals and serving more than 3 million customers. From 15 ye

2. 7. 2025, 9:10:03 | Symfony
A Week of Symfony #965 (June 23–29, 2025)
A Week of Symfony #965 (June 23–29, 2025)

This week, Symfony 6.4.23, 7.2.8 and 7.3.1 maintenance versions were released. Meanwhile, the upcoming Symfony 7.4 version continued adding new features such as better controller helpers, more precisi

29. 6. 2025, 9:10:15 | Symfony
Symfony 6.4.23 released
Symfony 6.4.23 released

Symfony 6.4.23 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in you

28. 6. 2025, 9:50:15 | Symfony
Symfony 7.2.8 released
Symfony 7.2.8 released

Symfony 7.2.8 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

28. 6. 2025, 9:50:15 | Symfony
Symfony 7.3.1 released
Symfony 7.3.1 released

Symfony 7.3.1 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

28. 6. 2025, 9:50:14 | Symfony
A Week of Symfony #964 (June 16–22, 2025)
A Week of Symfony #964 (June 16–22, 2025)

This week, development activity was intense, with many bug fixes in the maintained branches, numerous deprecation removals in the 8.0 branch, and new features added to the 7.4 branch, including tighte

22. 6. 2025, 8:10:05 | Symfony
SymfonyOnline June 2025: Speakers, Stats & Replays!
SymfonyOnline June 2025: Speakers, Stats & Replays!

Thank you for joining us at SymfonyOnline June 2025!

What a great edition of SymfonyOnline we’ve just wrapped up! 🎉

We were thrilled to welcome 300 participants from 35 different countries—a

18. 6. 2025, 8:50:17 | Symfony
Techie
Techie