[Security] Admin Authenticated Arbitrary JavaScript-CSS File Read (#1…

…4958) * Fix: Arbitrary JavaScript-CSS File Read * Fix: Arbitrary JavaScript-CSS File Read * Fix: Arbitrary JavaScript-CSS File Read * Fix: PHPStan * Fix: Allow project root folder
pimcore · Apr 19, 2023 · 553c9a4 · 553c9a4
1 parent bff0f1c
commit 553c9a4
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/MiscController.php b/bundles/AdminBundle/Controller/Admin/MiscController.php
@@ -137,8 +137,18 @@ public function scriptProxyAction(Request $request)
             $allowedFileTypes = ['js', 'css'];
             $scripts = explode(',', $request->get('scripts'));
 
-            if ($request->get('scriptPath')) {
-                $scriptPath = PIMCORE_WEB_ROOT . $request->get('scriptPath');
+            $scriptPath = $request->get('scriptPath');
+            if ($scriptPath) {
+                $scriptPath = realpath(PIMCORE_WEB_ROOT . $scriptPath);
+                if(!$scriptPath) {
+                    throw $this->createNotFoundException('Directory not found!');
+                }
+
+                if(!str_starts_with($scriptPath, rtrim(str_replace('../', '', PIMCORE_PROJECT_ROOT), './'))) {
+                    throw $this->createAccessDeniedException('Scripts not found! Please do not navigate out of the web root directory!');
+                }
+
+                $scriptPath .= '/';
             } else {
                 $scriptPath = PIMCORE_SYSTEM_TEMP_DIRECTORY . '/';
             }