Issue Type: Bug Created: 2009-02-11T11:39:41.000+0000 Last Updated: 2009-08-04T08:39:04.000+0000 Status: Resolved Fix version(s): - 1.9.1 (11/Aug/09)
Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View
Related issues: - ZF-5724
Attachments: - patch
Zend_View::render() currently allows script names that include parent directory notation -- which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.
Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T11:40:33.000+0000
Based on ZF-5724 submission, but specific to render() vs. the script paths.
Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T12:07:14.000+0000
Fix committed to trunk in r14049
Posted by Matthew Weier O'Phinney (matthew) on 2009-02-12T13:28:27.000+0000
Patch applied to 1.7 release branch
Have you found an issue?
See the Overview section for more details.