ZF-5748: Zend_View render() allows parent directory notation, opening potential LFI exploit


Zend_View::render() currently allows script names that include parent directory notation -- which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.


Based on ZF-5724 submission, but specific to render() vs. the script paths.

Fix committed to trunk in r14049

Patch applied to 1.7 release branch