When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source
or include
statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file
(in such a case, validation is bypassed).
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.