User: Password:
Subscribe / Log in / New account

php-twig-Twig: file disclosure

Package(s):php-twig-Twig CVE #(s):
Created:April 29, 2013 Updated:May 1, 2013
Description: From the Twig advisory:

Your application is affected if you are using Twig_Loader_Filesystem for loading Twig templates but only if you are using non-trusted template names (names provided by a end-user for instance).

When affected, it is possible to go up one directory for the paths configured in your loader.

For instance, if the filesystem loader is configured with /path/to/templates as a path to look for templates, you can force Twig to include a file stored in /path/to by prepending the path with /../ like in {% include "/../somefile_in_path_to" %}

Note that using anything else (like ../somefile, /../../somefile, or ../../somefile) won’t work and you will get a proper exception.

Fedora FEDORA-2013-6107 php-twig-Twig 2013-04-27
Fedora FEDORA-2013-6114 php-twig-Twig 2013-04-27

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds