Fixed rename failing to prevent rename to restricted file extension in media library, 'Remote Code Execution via Chained Rename Bypass and .htaccess PHP Handler Injection', reported by @kdalal-vulncheck #419

Author: givanz

system/traits/media.php

@@ -205,6 +205,8 @@ function rename() {
 		$duplicate   =  $this->request->post['duplicate'] ?? false;
 		$dirMedia    = $this->dirMedia;
 
+		$this->response->setType('json');
+
 		$currentFile = $dirMedia . DS . $file;
 		if ($newfile) {
 			$targetFile  = $dirMedia . DS . $newfile;
@@ -217,8 +219,9 @@ function rename() {
 		$extension = strtolower(substr($targetFile, strrpos($targetFile, '.') + 1));
 
 		if (isset($this->uploadDenyExtensions) && in_array($extension, $this->uploadDenyExtensions)) {
-			$message .= __('File type not allowed!');
-			$success = false;
+			$message = ['success' => false, 'message' => __('File type not allowed!')];
+			$this->response->output($message);
+			return;
 		}
 
 		if ($duplicate) {
@@ -235,7 +238,6 @@ function rename() {
 			}
 		}
 
-		$this->response->setType('json');
 		$this->response->output($message);
 	}