From 43e66b2004e10c828765219c8d2b8917f447f385 Mon Sep 17 00:00:00 2001
From: James Collins <james.collins@outlook.com.au>
Date: Thu, 15 Jan 2026 08:33:38 +1000
Subject: [PATCH] path traversal in chunk unlink fix

---
 app/Http/Controllers/MediaController.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/MediaController.php b/app/Http/Controllers/MediaController.php
index 9759664..73f8969 100644
--- a/app/Http/Controllers/MediaController.php
+++ b/app/Http/Controllers/MediaController.php
@@ -111,6 +111,7 @@ class MediaController extends Controller
     public function admin_store(Request $request)
     {
         $file = null;
+        $cleanupPath = null;
 
         // Check if the endpoint received a file...
         if($request->hasFile('file')) {
@@ -185,6 +186,7 @@ class MediaController extends Controller
             }
 
             $file = new UploadedFile($tempFileName, $fileName, $fileMime, null, true);
+            $cleanupPath = $tempFileName;
             unset($chunkUploads[$uploadToken]);
             session()->put('chunk_uploads', $chunkUploads);
         }
@@ -263,9 +265,8 @@ class MediaController extends Controller
             }
         }
 
-        $tempPath = $file->getRealPath();
-        if(is_string($tempPath)) {
-            $realPath = realpath($tempPath);
+        if(is_string($cleanupPath)) {
+            $realPath = realpath($cleanupPath);
             $tempDir = realpath(sys_get_temp_dir());
             if($realPath !== false && $tempDir !== false && str_starts_with($realPath, $tempDir . DIRECTORY_SEPARATOR)) {
                 @unlink($realPath);