Fix: Arbitrary File Read

pimcore · Apr 19, 2023 · 1d12840 · 1d12840
1 parent 21e35af
commit 1d12840
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php b/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
@@ -2463,7 +2463,12 @@ public function importServerFilesAction(Request $request)
         if (!$assetFolder) {
             throw $this->createNotFoundException('Parent asset not found');
         }
-        $serverPath = PIMCORE_PROJECT_ROOT . $request->get('serverPath');
+
+        $serverPath = realpath(PIMCORE_PROJECT_ROOT . $request->get('serverPath'));
+        if(!str_starts_with($serverPath, rtrim(str_replace('../', '', PIMCORE_PROJECT_ROOT), './'))) {
+            throw $this->createAccessDeniedException('Please do not navigate out of the web root directory!');
+        }
+
         $files = explode('::', $request->get('files'));
 
         foreach ($files as $file) {