diff --git a/config/cms.php b/config/cms.php
index 088323b50..e0f58e236 100644
--- a/config/cms.php
+++ b/config/cms.php
@@ -362,4 +362,23 @@ return [
     
     'enableTwigStrictVariables' => false,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Base Directory Restriction
+    |--------------------------------------------------------------------------
+    |
+    | Restricts loading backend template and config files to within the base
+    | directory of the application.
+    |
+    | WARNING: This should always be enabled for security reasons. However, in
+    | some cases you may need to disable this; for instance when developing
+    | plugins that are stored elsewhere in the filesystem for organizational
+    | reasons and then symlinked into the application plugins/ directory.
+    |
+    | NEVER have this disabled in production.
+    |
+    */
+
+    'restrictBaseDir' => true,
+
 ];
diff --git a/modules/system/traits/ConfigMaker.php b/modules/system/traits/ConfigMaker.php
index ff9a3e65c..01e12ba8f 100644
--- a/modules/system/traits/ConfigMaker.php
+++ b/modules/system/traits/ConfigMaker.php
@@ -7,6 +7,7 @@ use Event;
 use SystemException;
 use Backend\Classes\Controller;
 use stdClass;
+use Config;
 
 /**
  * Config Maker Trait
@@ -141,7 +142,9 @@ trait ConfigMaker
 
         $fileName = File::symbolizePath($fileName);
 
-        if (File::isLocalPath($fileName)) {
+        if (File::isLocalPath($fileName) ||
+            (!Config::get('cms.restrictBaseDir', true) && realpath($fileName) !== false)
+        ) {
             return $fileName;
         }
 
diff --git a/modules/system/traits/ViewMaker.php b/modules/system/traits/ViewMaker.php
index e1883bf69..ac8d1d248 100644
--- a/modules/system/traits/ViewMaker.php
+++ b/modules/system/traits/ViewMaker.php
@@ -8,6 +8,7 @@ use SystemException;
 use Exception;
 use Throwable;
 use Symfony\Component\Debug\Exception\FatalThrowableError;
+use Config;
 
 /**
  * View Maker Trait
@@ -194,7 +195,9 @@ trait ViewMaker
 
         $fileName = File::symbolizePath($fileName);
 
-        if (File::isLocalPath($fileName)) {
+        if (File::isLocalPath($fileName) ||
+            (!Config::get('cms.restrictBaseDir', true) && realpath($fileName) !== false)
+        ) {
             return $fileName;
         }
 
@@ -221,7 +224,10 @@ trait ViewMaker
      */
     public function makeFileContents($filePath, $extraParams = [])
     {
-        if (!strlen($filePath) || !File::isFile($filePath) || !File::isLocalPath($filePath)) {
+        if (!strlen($filePath) ||
+            !File::isFile($filePath) ||
+            (!File::isLocalPath($filePath) && Config::get('cms.restrictBaseDir', true))
+        ) {
             return '';
         }