The Laravel view engine wants to supply the Twig engine with an absolute path, even though this is outside the inclusion rules. This implements a temporary exception to wave it through. It seems like a suitable alternative instead of implementing a reverse lookup to ensure the path is a valid view file, since we can trust the source engine has passed the value through its resolver already
Fixes previous fix
This logic is called via {% include %} (fixed) and as a custom .htm driver for View::make (broken). The previous change was too aggressive and broke the latter. This still fixes arbitrary file inclusion whilst retaining the original design. Both logic paths are now fixed and have been tested
Samuel Georges
Ben Thomson
Luke Towers
Arthur Kushman
Stefan Talen