File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.

N/A

整数溢出或超界折返

File Browser 输入验证错误漏洞

File Browser是File Browser开源的一个文件管理界面，在指定的目录，它可以用来上传，删除，预览和编辑文件。 File Browser 2.61.2及之前版本存在输入验证错误漏洞，该漏洞源于TUS可恢复上传处理程序未验证Upload-Length标头为非负值，可能导致拒绝服务、命令注入或工作流滥用。

N/A

N/A