GHSA-ffx7-75gc-jg7c: File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

A vulnerability in File Browser's TUS resumable upload handler fails to validate that the Upload-Length header is non-negative. When an attacker supplies a negative value like -1, the first PATCH request immediately triggers the completion condition (0 >= -1 is true), causing after_upload hooks (automated scripts that run after file uploads) to fire with empty or partial files. An authenticated user with upload permission can trigger these hooks repeatedly with any filename, even without actually uploading data.