Skip to content

Fix CVE-2025-15138 upload fullpath extension bypass#1419

Open
billyp2340 wants to merge 1 commit into
prasathmani:masterfrom
billyp2340:fix-cve-2025-15138-upload-fullpath-extension-bypass
Open

Fix CVE-2025-15138 upload fullpath extension bypass#1419
billyp2340 wants to merge 1 commit into
prasathmani:masterfrom
billyp2340:fix-cve-2025-15138-upload-fullpath-extension-bypass

Conversation

@billyp2340

Copy link
Copy Markdown

Summary

Fixes CVE-2025-15138, where the upload fullpath parameter could be used to bypass upload extension validation and influence the final upload destination/name.

Changes

  • Validate the uploaded file name from $_FILES['file']['name'] using basename() instead of trusting the submitted fullpath.
  • Derive the allowed extension check from the sanitized upload filename.
  • Treat fullpath only as a directory hint for folder uploads, not as the authoritative target filename.
  • Resolve upload folders with realpath() and reject paths outside FM_ROOT_PATH.
  • Ensure chunked upload conflict renaming uses the validated filename and resolved folder path.

Security Impact

This prevents attackers from submitting a crafted fullpath value that causes Tiny File Manager to write an uploaded file with a disallowed extension or outside the intended upload root.

Testing

  • Verified the upload path now builds the final destination from the sanitized uploaded filename.
  • Verified requested upload folders are resolved and checked against FM_ROOT_PATH.
  • Verified existing chunked upload handling still writes to .part files and renames using the validated target path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants