deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2026-03-14 20:55:50 +01:00
Code Issues Projects Releases Wiki Activity

Security for File Upload Conflicts

Browse source 
Additional checks to ensure an uploaded file is not on the `exclude_items` list.
This commit is contained in:
Mark Ivanowich 2025-04-19 14:33:53 -05:00 committed by GitHub
commit 0150471ef9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
tinyfilemanager.php
View file

@ -1055,19 +1055,23 @@ if (!empty($_FILES) && !FM_READONLY) {
if (file_exists($fullPath)) {
$ext_1 = $ext ? '.' . $ext : '';
$datedPath = $path . '/' . basename($fullPathInput, $ext_1) . '_' . date('ymdHis') . $ext_1;
switch($upload_name_conflict_handling)
{
case 'OLD':
rename($fullPath,$datedPath);
break;
case 'REPLACE':
if( fm_rdelete($fullPath) ) break;
case 'NEW':
default:
$fullPathTarget = $datedPath;
if(fm_is_exclude_items($fullPath)){
$fullPathTarget = $datedPath; // excluded items should not be replaced or renamed
}else{
switch($upload_name_conflict_handling)
{
case 'OLD':
fm_rename($fullPath,$datedPath);
break;
case 'REPLACE':
if(fm_rdelete($fullPath)) break;
case 'NEW':
default:
$fullPathTarget = $datedPath;
}
}
}
rename("{$fullPath}.part", $fullPathTarget);
fm_rename("{$fullPath}.part", $fullPathTarget);
}
} else if (move_uploaded_file($tmp_name, $fullPath)) {
// Be sure that the file has been uploaded