From 80ad3068b36d48d6797c10cf59a2be6088300bcb Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <raynaud.manu@gmail.com>
Date: Fri, 18 Apr 2014 15:09:47 +0200
Subject: [PATCH] check file in main and sub templates

---
 .../Core/Template/Smarty/SmartyParser.php     | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/core/lib/Thelia/Core/Template/Smarty/SmartyParser.php b/core/lib/Thelia/Core/Template/Smarty/SmartyParser.php
index 4b7961b7a..05c84a3a4 100644
--- a/core/lib/Thelia/Core/Template/Smarty/SmartyParser.php
+++ b/core/lib/Thelia/Core/Template/Smarty/SmartyParser.php
@@ -239,11 +239,27 @@ class SmartyParser extends Smarty implements ParserInterface
      */
     public function render($realTemplateName, array $parameters = array())
     {
-        if (false === $this->templateExists($realTemplateName)) {
+        if (false === $this->templateExists($realTemplateName) || false === $this->checkTemplate($realTemplateName)) {
             throw new ResourceNotFoundException(Translator::getInstance()->trans("Template file %file cannot be found.", array('%file' => $realTemplateName)));
         }
-
         return $this->internalRenderer('file', $realTemplateName, $parameters);
+
+    }
+
+    private function checkTemplate($fileName)
+    {
+        $templates = $this->getTemplateDir();
+
+        $found = true;
+        foreach ($templates as $key => $value) {
+            $absolutePath = rtrim(realpath(dirname($value.$fileName)), "/");
+            $templateDir =  rtrim(realpath($value), "/");
+            if (!empty($absolutePath) && strpos($absolutePath, $templateDir) !== 0) {
+                $found = false;
+            }
+        }
+
+       return $found;
     }
 
     /**