The fix for CVE-2025-49113 for RoundCube 1.4.15
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index d7c2c94..8ff64b3 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -272,6 +272,22 @@ class rcube_utils
         return self::parse_input_value($value, $allow_html, $charset);
     }
 
+    /**
+     * Check if input value is a "simple" string.
+     * "Simple" is defined as a non-empty string containing only
+     *  - "word" characters (alphanumeric plus underscore),
+     *  - dots,
+     *  - dashes.
+     *
+     * @param string $input The string to test
+     *
+     * @return bool
+     */
+    public static function is_simple_string($input)
+    {
+        return is_string($input) && !!preg_match('/^[\w.-]+$/i', $input);
+    }
+
     /**
      * Parse/validate input value. See self::get_input_value()
      * Performs stripslashes() and charset conversion if necessary
diff --git a/program/steps/settings/upload.inc b/program/steps/settings/upload.inc
index 5863239..44dff34 100644
--- a/program/steps/settings/upload.inc
+++ b/program/steps/settings/upload.inc
@@ -17,9 +17,16 @@
  +-----------------------------------------------------------------------+
 */
 
-$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_GET);
+$from = rcube_utils::get_input_string('_from', rcube_utils::INPUT_GET);
 $type = preg_replace('/(add|edit)-/', '', $from);
 
+// Validate URL input.
+if (!rcube_utils::is_simple_string($type)) {
+    rcube::write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.');
+    $OUTPUT->command('display_message', 'Invalid input', 'error');
+    $OUTPUT->send('iframe');
+}
+
 // Plugins in Settings may use this file for some uploads (#5694)
 // Make sure it does not contain a dot, which is a special character
 // when using rcube_session::append() below