[Security] Admin Authenticated Arbitrary File Read (#14974)

* Fix: disable asset importFromServer for users

* Doc: Add Upgrade Notes

bundles/AdminBundle/Controller/Admin/Asset/AssetController.php

@@ -2459,6 +2459,10 @@ public function importServerAction(Request $request)
      */
     public function importServerFilesAction(Request $request)
     {
+        if(!Tool\Admin::getCurrentUser()->isAdmin()) {
+            throw $this->createAccessDeniedException('Permission denied. You don\'t have the rights to import files from the server!');
+        }
+
         $assetFolder = Asset::getById((int) $request->get('parentId'));
         if (!$assetFolder) {
             throw $this->createNotFoundException('Parent asset not found');

bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js

@@ -594,7 +594,7 @@ pimcore.asset.tree = Class.create({
                             });
                         }
 
-                        if (perspectiveCfg.inTreeContextMenu("asset.add.importFromServer")) {
+                        if (perspectiveCfg.inTreeContextMenu("asset.add.importFromServer") && pimcore.currentuser.admin) {
                             menuItems.push({
                                 text: t("import_from_server"),
                                 handler: this.importFromServer.bind(this, tree, record),

doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md

@@ -1,8 +1,12 @@
 # Upgrade Notes
 
+## 10.5.21
+- [Assets] The Asset `Import from Server` feature is now only available for admins. It will be removed in Pimcore 11
+
 ## 10.5.13
 - [Web2Print] Print document twig expressions are now executed in a sandbox with restrictive security policies (just like Sending mails and Dataobject Text Layouts introduced in 10.5.9).
 
+
 ## 10.5.10
 - [DataObject] Deprecated: Loading non-Concrete objects with the Concrete class will not be possible in Pimcore 11.