The fix for CVE-2025-49113 for RoundCube 1.6.10

diff --git a/program/actions/settings/upload.php b/program/actions/settings/upload.php
index d1cbbdc142..513e5d1228 100644
--- a/program/actions/settings/upload.php
+++ b/program/actions/settings/upload.php
@@ -32,6 +32,13 @@ public function run($args = [])
         $from   = rcube_utils::get_input_string('_from', rcube_utils::INPUT_GET);
         $type   = preg_replace('/(add|edit)-/', '', $from);
 
+        // Validate URL input.
+        if (!rcube_utils::is_simple_string($type)) {
+            rcmail::write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.');
+            $rcmail->output->command('display_message', 'Invalid input', 'error');
+            $rcmail->output->send('iframe');
+        }
+
         // Plugins in Settings may use this file for some uploads (#5694)
         // Make sure it does not contain a dot, which is a special character
         // when using rcube_session::append() below
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index b9db11f0a3..b67f7f1b1a 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -285,6 +285,22 @@ public static function get_input_string($fname, $source, $allow_html = false, $c
         return is_string($value) ? $value : '';
     }
 
+    /**
+     * Check if input value is a "simple" string.
+     * "Simple" is defined as a non-empty string containing only
+     *  - "word" characters (alphanumeric plus underscore),
+     *  - dots,
+     *  - dashes.
+     *
+     * @param string $input The string to test
+     *
+     * @return bool
+     */
+    public static function is_simple_string($input)
+    {
+        return is_string($input) && !!preg_match('/^[\w.-]+$/i', $input);
+    }
+
     /**
      * Read request parameter value and convert it for internal use
      * Performs stripslashes() and charset conversion if necessary