Index: themes/engines/phptemplate/phptemplate.engine
===================================================================
RCS file: /cvs/drupal/drupal/themes/engines/phptemplate/phptemplate.engine,v
retrieving revision 1.54.2.6
diff -u -p -r1.54.2.6 phptemplate.engine
--- themes/engines/phptemplate/phptemplate.engine	29 Apr 2009 17:49:52 -0000	1.54.2.6
+++ themes/engines/phptemplate/phptemplate.engine	1 May 2009 20:18:45 -0000
@@ -257,7 +257,7 @@ function phptemplate_page($content, $sho
   $suggestion = 'page';
   $suggestions = array($suggestion);
   while ($arg = arg($i++)) {
-    $arg = str_replace(array("/", "\\", "\0"), '', $arg);
+    $arg = str_replace(array("../", "..\\", "\0"), '', $arg);
     $suggestions[] = $suggestion . '-' . $arg;
     if (!is_numeric($arg)) {
       $suggestion .= '-' . $arg;
@@ -377,14 +377,14 @@ function phptemplate_box($title, $conten
 function _phptemplate_default($hook, $variables, $suggestions = array(), $extension = '.tpl.php') {
   global $theme_engine;
 
-  // Remove slashes or null to prevent files from being included from
-  // an unexpected location (especially on Windows servers).
-  $extension = str_replace(array("/", "\\", "\0"), '', $extension);
+  // Disallow backing out of the current path and prevent null's so files are
+  // not included from an unexpected location (especially on Windows servers).
+  $extension = str_replace(array("../", "..\\", "\0"), '', $extension);
 
   // Loop through any suggestions in FIFO order.
   $suggestions = array_reverse($suggestions);
   foreach ($suggestions as $suggestion) {
-    $suggestion = str_replace(array("/", "\\", "\0"), '', $suggestion);
+    $suggestion = str_replace(array("../", "..\\", "\0"), '', $suggestion);
     if (!empty($suggestion) && file_exists(path_to_theme() .'/'. $suggestion . $extension)) {
       $file = path_to_theme() .'/'. $suggestion . $extension;
       break;