Merge branch '3.4'

* 3.4:
  fixed CS
  fixed CS
  [Security] Namespace generated CSRF tokens depending of the current scheme
  ensure that submitted data are uploaded files
  [Console] remove dead code
  bumped Symfony version to 3.3.13
  updated VERSION for 3.3.12
  updated CHANGELOG for 3.3.12
  bumped Symfony version to 2.8.31
  updated VERSION for 2.8.30
  updated CHANGELOG for 2.8.30
  bumped Symfony version to 2.7.38
  updated VERSION for 2.7.37
  updated CHANGELOG for 2.7.37
  [Security] Validate redirect targets using the session cookie domain
  prevent bundle readers from breaking out of paths

Author: nicolas-grekas

Data/Bundle/Reader/JsonBundleReader.php

@@ -30,6 +30,11 @@ public function read($path, $locale)
     {
         $fileName = $path.'/'.$locale.'.json';
 
+        // prevent directory traversal attacks
+        if (dirname($fileName) !== $path) {
+            throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
+        }
+
         if (!file_exists($fileName)) {
             throw new ResourceBundleNotFoundException(sprintf(
                 'The resource bundle "%s" does not exist.',

Data/Bundle/Reader/PhpBundleReader.php

@@ -30,6 +30,11 @@ public function read($path, $locale)
     {
         $fileName = $path.'/'.$locale.'.php';
 
+        // prevent directory traversal attacks
+        if (dirname($fileName) !== $path) {
+            throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
+        }
+
         if (!file_exists($fileName)) {
             throw new ResourceBundleNotFoundException(sprintf(
                 'The resource bundle "%s/%s.php" does not exist.',

Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.json

@@ -0,0 +1 @@
+{"Foo":"Bar"}

Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.php

@@ -0,0 +1,14 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+return array(
+    'Foo' => 'Bar',
+);

Tests/Data/Bundle/Reader/JsonBundleReaderTest.php

@@ -69,4 +69,12 @@ public function testReadFailsIfInvalidJson()
     {
         $this->reader->read(__DIR__.'/Fixtures/json', 'en_Invalid');
     }
+
+    /**
+     * @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
+     */
+    public function testReaderDoesNotBreakOutOfGivenPath()
+    {
+        $this->reader->read(__DIR__.'/Fixtures/json', '../invalid_directory/en');
+    }
 }

Tests/Data/Bundle/Reader/PhpBundleReaderTest.php

@@ -61,4 +61,12 @@ public function testReadFailsIfNotAFile()
     {
         $this->reader->read(__DIR__.'/Fixtures/NotAFile', 'en');
     }
+
+    /**
+     * @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
+     */
+    public function testReaderDoesNotBreakOutOfGivenPath()
+    {
+        $this->reader->read(__DIR__.'/Fixtures/php', '../invalid_directory/en');
+    }
 }