When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed). Fix: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b (fixed in version 1.44.7) Please note: 1.x branch is not maintained anymore, a new versions have been released
Thank you for reporting! But already being tracked in bug 873364, I just missed adding the alias. Thanks! *** This bug has been marked as a duplicate of bug 873364 ***
no problemo :)