/** * Find the template * * Override for Twig_Loader_Filesystem::findTemplate to add support * for loading from safe directories. */ protected function findTemplate($name) { $name = (string) $name; // normalize name $name = preg_replace('#/{2,}#', '/', strtr($name, '\\', '/')); // If this is in the cache we can skip the entire process below // as it should have already been validated if (isset($this->cache[$name])) { return $this->cache[$name]; } // First, find the template name. The override above of validateName // causes the validateName process to be skipped for this call $file = parent::findTemplate($name); try { // Try validating the name (which may throw an exception) parent::validateName($name); } catch (\Twig_Error_Loader $e) { if (strpos($e->getRawMessage(), 'Looks like you try to load a template outside configured directories') === 0) { // Ok, so outside of the configured template directories, we // can now check if we're within a "safe" directory // Find the real path of the directory the file is in $directory = src_realpath(dirname($file)); if ($directory === false) { // Some sort of error finding the actual path, must throw the exception throw $e; } foreach ($this->safe_directories as $safe_directory) { if (strpos($directory, $safe_directory) === 0) { // The directory being loaded is below a directory // that is "safe". We're good to load it! return $file; } } } // Not within any safe directories throw $e; } // No exception from validateName, safe to load. return $file; }