Twig >1.0.0,<1.44.7 || >2.0.0,<2.15.3 || >3.0.0,<3.4.3 are affected by this safety concern.
The problem has been fastened in Twig 1.44.7, 2.15.3 and three.4.3.
When utilizing the filesystem loader to load templates for which the identify is a consumer enter, it’s doable to make use of the supply
or embody
assertion to learn arbitrary information from outdoors the templates listing when utilizing a namespace like @someplace/../some.file
(in such a case, validation is bypassed).
We fastened validation for such template names.
Even when the 1.x department is just not maintained anymore, a brand new model has been launched.
We want to thank Dariusz Tytko for reporting the problem and Fabien Potencier for fixing the problem.