From 3dc105173a8899b6266bc8befce0d289802a06a0 Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Tue, 13 Oct 2020 19:14:31 +1100 Subject: [PATCH] Only allow local files via view engine The Laravel view engine wants to supply the Twig engine with an absolute path, even though this is outside the inclusion rules. This implements a temporary exception to wave it through. It seems like a suitable alternative instead of implementing a reverse lookup to ensure the path is a valid view file, since we can trust the source engine has passed the value through its resolver already Fixes previous fix --- modules/system/twig/Engine.php | 8 ++++++++ modules/system/twig/Loader.php | 9 ++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/modules/system/twig/Engine.php b/modules/system/twig/Engine.php index affcab34e..6a3cbcae3 100644 --- a/modules/system/twig/Engine.php +++ b/modules/system/twig/Engine.php @@ -1,5 +1,6 @@ environment->loadTemplate($path); + + TwigLoader::$allowInclude = $previousAllow; + return $template->render($vars); } } diff --git a/modules/system/twig/Loader.php b/modules/system/twig/Loader.php index c42756a0a..baafc7773 100644 --- a/modules/system/twig/Loader.php +++ b/modules/system/twig/Loader.php @@ -15,9 +15,9 @@ use Exception; class Loader implements TwigLoaderInterface { /** - * @var string Expected file extension + * @var bool Allow any local file */ - protected $extension = 'htm'; + public static $allowInclude = false; /** * @var array Cache @@ -37,9 +37,8 @@ class Loader implements TwigLoaderInterface return $this->cache[$name]; } - $view = $name; - if (File::extension($view) === $this->extension) { - $view = substr($view, 0, -strlen($this->extension)); + if (static::$allowInclude === true && File::isFile($name)) { + return $this->cache[$name] = $name; } $path = $finder->find($name);