From 0150471ef9f53e1c2338676c1ebc75d3a8c7f57b Mon Sep 17 00:00:00 2001 From: Mark Ivanowich <4605655+MarkIvanowich@users.noreply.github.com> Date: Sat, 19 Apr 2025 14:33:53 -0500 Subject: [PATCH] Security for File Upload Conflicts Additional checks to ensure an uploaded file is not on the `exclude_items` list. --- tinyfilemanager.php | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/tinyfilemanager.php b/tinyfilemanager.php index 10b9878..fc2cdbd 100644 --- a/tinyfilemanager.php +++ b/tinyfilemanager.php @@ -1055,19 +1055,23 @@ if (!empty($_FILES) && !FM_READONLY) { if (file_exists($fullPath)) { $ext_1 = $ext ? '.' . $ext : ''; $datedPath = $path . '/' . basename($fullPathInput, $ext_1) . '_' . date('ymdHis') . $ext_1; - switch($upload_name_conflict_handling) - { - case 'OLD': - rename($fullPath,$datedPath); - break; - case 'REPLACE': - if( fm_rdelete($fullPath) ) break; - case 'NEW': - default: - $fullPathTarget = $datedPath; + if(fm_is_exclude_items($fullPath)){ + $fullPathTarget = $datedPath; // excluded items should not be replaced or renamed + }else{ + switch($upload_name_conflict_handling) + { + case 'OLD': + fm_rename($fullPath,$datedPath); + break; + case 'REPLACE': + if(fm_rdelete($fullPath)) break; + case 'NEW': + default: + $fullPathTarget = $datedPath; + } } } - rename("{$fullPath}.part", $fullPathTarget); + fm_rename("{$fullPath}.part", $fullPathTarget); } } else if (move_uploaded_file($tmp_name, $fullPath)) { // Be sure that the file has been uploaded