Adding more checks into PhpReader that currently exist in Configure.

cake/libs/config/php_reader.php

@@ -51,8 +51,13 @@ class PhpReader implements ConfigReaderInterface {
  * @param string $key The identifier to read from.  If the key has a . it will be treated
  *   as a plugin prefix.
  * @return array Parsed configuration values.
+ * @throws RuntimeException when files don't exist or they don't contain `$config`.
+ *    InvalidArgumentException when files contain '..' as this could lead to abusive reads.
  */
 	public function read($key) {
+		if (strpos($key, '..') !== false) {
+			throw new InvalidArgumentException(__('Cannot load configuration files with ../ in them.'));
+		}
 		list($plugin, $key) = pluginSplit($key);
 		
 		if ($plugin) {

cake/tests/cases/libs/config/php_reader.test.php

@@ -63,6 +63,17 @@ class PhpReaderTest extends CakeTestCase {
 		$reader->read('empty');
 	}
 
+/**
+ * test reading keys with ../ doesn't work
+ *
+ * @expectedException InvalidArgumentException
+ * @return void
+ */
+	function testReadWithDots() {
+		$reader = new PhpReader($this->path);
+		$reader->read('../empty');
+	}
+
 /**
  * test reading from plugins
  *