From 8babb4c8362a8736b7a597d1bbd1619246382f2a Mon Sep 17 00:00:00 2001
From: James Collins <james.collins@outlook.com.au>
Date: Thu, 15 Jan 2026 08:28:41 +1000
Subject: [PATCH] added unlink safeguard

---
 app/Http/Controllers/MediaController.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/MediaController.php b/app/Http/Controllers/MediaController.php
index e8311dd..9759664 100644
--- a/app/Http/Controllers/MediaController.php
+++ b/app/Http/Controllers/MediaController.php
@@ -263,7 +263,14 @@ class MediaController extends Controller
             }
         }
 
-        unlink($file->getRealPath());
+        $tempPath = $file->getRealPath();
+        if(is_string($tempPath)) {
+            $realPath = realpath($tempPath);
+            $tempDir = realpath(sys_get_temp_dir());
+            if($realPath !== false && $tempDir !== false && str_starts_with($realPath, $tempDir . DIRECTORY_SEPARATOR)) {
+                @unlink($realPath);
+            }
+        }
 
         if($request->wantsJson()) {
             return response()->json([