Security Hotfix: Critical RCE Patch & File Manager Hardening

⚠️ Security Critical Update

This release addresses critical security vulnerabilities. All users are strongly advised to upgrade immediately.

🔒 Security Patches

• Critical (RCE): Patched a Remote Code Execution vulnerability in the File Manager rename endpoint that allowed bypassing extension whitelists (Reported by Lars van Mil).
• High: Fixed a Directory Displacement vulnerability by disabling arbitrary folder move operations.
• Medium: Enforced stricter blacklist rules for system directories. Sensitive paths like .env, .git, .github, and vendor are now explicitly blocked from listing and access.
• Medium: Implemented missing CSRF token validation for File Manager AJAX operations (Delete, Save, Rename).

🛠 Improvements & Changes

• File Manager: Disabled "Drag & Drop" functionality to prevent accidental directory structure changes and improve stability.
• UI/UX: Updated Monaco Editor file tree configuration; folders now default to a collapsed state for better navigation.
• Refactor: Centralized file extension validation logic for better consistency across endpoints.

🏆 Credits

Special thanks to security researcher Lars van Mil for responsibly disclosing the vulnerabilities and assisting in the validation of these fixes.