Thank you for this contribution, I've tested the gadget chain and it works on the specified versions, I'm merging this.

I've also checked the fix you proposed to the Silverstripe project.

I just wanted to warn you that the fix is partial, and this gadget chain can still be used for malicious purposes even after the fix is applied:

The added check only verifies that the file basename starts with a given prefix, which effectively prevents arbitrary file deletion, but, for example, path traversal and the ftp protocol is not blocked, so this gadget chain can be used for connect-backs.

UNC Paths are also usable on Windows, which makes the gadget chains usable to coerce an authentication to an attacker-controlled host, which can then be used for relay attacks.

It seems the fixes you proposed for Silverstripe/FD1, Grav/FD1, phpThumb/FD1 (and maybe others) all suffer from this same issue.