From 498cadec2292f7842fb10612068ac78496e884b4 Mon Sep 17 00:00:00 2001
From: robertSt7 <104770750+robertSt7@users.noreply.github.com>
Date: Thu, 20 Apr 2023 16:56:53 +0200
Subject: [PATCH] [Security] Admin Authenticated Arbitrary File Read (#14974)

* Fix: disable asset importFromServer for users

* Doc: Add Upgrade Notes
---
 .../AdminBundle/Controller/Admin/Asset/AssetController.php    | 4 ++++
 bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js | 2 +-
 .../23_Installation_and_Upgrade/09_Upgrade_Notes/README.md    | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php b/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
index c2a6a90b244..f3ec571ee62 100644
--- a/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
+++ b/bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
@@ -2459,6 +2459,10 @@ public function importServerAction(Request $request)
      */
     public function importServerFilesAction(Request $request)
     {
+        if(!Tool\Admin::getCurrentUser()->isAdmin()) {
+            throw $this->createAccessDeniedException('Permission denied. You don\'t have the rights to import files from the server!');
+        }
+
         $assetFolder = Asset::getById((int) $request->get('parentId'));
         if (!$assetFolder) {
             throw $this->createNotFoundException('Parent asset not found');
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js b/bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js
index 29072edae4b..6ad46d37747 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js
@@ -594,7 +594,7 @@ pimcore.asset.tree = Class.create({
                             });
                         }
 
-                        if (perspectiveCfg.inTreeContextMenu("asset.add.importFromServer")) {
+                        if (perspectiveCfg.inTreeContextMenu("asset.add.importFromServer") && pimcore.currentuser.admin) {
                             menuItems.push({
                                 text: t("import_from_server"),
                                 handler: this.importFromServer.bind(this, tree, record),
diff --git a/doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md b/doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
index 37c474f3076..3a870e9a793 100644
--- a/doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
+++ b/doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
@@ -1,8 +1,12 @@
 # Upgrade Notes
 
+## 10.5.21
+- [Assets] The Asset `Import from Server` feature is now only available for admins. It will be removed in Pimcore 11
+
 ## 10.5.13
 - [Web2Print] Print document twig expressions are now executed in a sandbox with restrictive security policies (just like Sending mails and Dataobject Text Layouts introduced in 10.5.9).
 
+
 ## 10.5.10
 - [DataObject] Deprecated: Loading non-Concrete objects with the Concrete class will not be possible in Pimcore 11.