From ed65fd4aa1122cb3aecf6a9684d493e1c9282323 Mon Sep 17 00:00:00 2001
From: Joao Alves <jpralves@gmail.com>
Date: Thu, 20 May 2021 14:29:28 +0100
Subject: [PATCH] Validate file in upload.

---
 tinyfilemanager.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tinyfilemanager.php b/tinyfilemanager.php
index 96dbf0a..922f2a8 100644
--- a/tinyfilemanager.php
+++ b/tinyfilemanager.php
@@ -958,6 +958,14 @@ if (!empty($_FILES) && !FM_READONLY) {
     $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
     $isFileAllowed = ($allowed) ? in_array($ext, $allowed) : true;
 
+    if(!fm_isvalid_filename($filename) && !fm_isvalid_filename($_REQUEST['fullpath'])) {
+        $response = array (
+            'status'    => 'error',
+            'info'      => "Invalid File name!",
+        );
+        echo json_encode($response); exit();
+    }
+
     $targetPath = $path . $ds;
     if ( is_writable($targetPath) ) {
         $fullPath = os_path_join($path, $_REQUEST['fullpath']);