diff -Naur webfm_old/webfm.module webfm/webfm.module
--- webfm_old/webfm.module	2008-10-08 17:42:24.000000000 -0700
+++ webfm/webfm.module	2008-10-08 16:32:04.000000000 -0700
@@ -859,6 +859,13 @@
     $root_dir = (($user->uid == 1) || user_access('administer webfm'))? file_directory_path() : file_directory_path().webfm_get_root_path();
     $dest = $root_dir.$_POST['webfmuploadpath'];
     $db_check = TRUE;
+    if(!isset($_FILES['files']) || $_FILES['files']['name']['webfm_upload'] == '') {
+      drupal_set_message(t('Please click "Browse" and select a file to upload before clicking the upload button.'), error);
+      if(!isset($json_data['html']))
+        $json_data['html'] = webfm_reload_upload('webfm/upload');
+      print drupal_to_js(array('status' => TRUE, 'data' => $json_data));
+      exit();
+    }
     // Save new file uploads to tmp dir.
     if(($file = file_save_upload('webfm_upload')) != FALSE) {
       // Scale image uploads.
@@ -1188,7 +1195,7 @@
           $source = $root_dir.trim(rawurldecode($_POST["param0"]));
           $dest = $root_dir.trim(rawurldecode($_POST["param1"]));
           // prevent any ../ shenanigans
-          if(!ereg('\.\.', $dest)) {
+          if(!ereg('\.\.', $dest) && dirname(rawurldecode($_POST["param0"]))==dirname(rawurldecode($_POST["param1"]))) {
             $err_arr[] = array();
             //rename permissions inside webfm_rename
             $ret = webfm_rename($source, $dest, ($webfm_perm == WEBFM_USER) ? $user->uid : 1, $err_arr);
