- 🇳🇿New Zealand quietone
This is still true for Drupal 10.1.x. However, this is not a bug (I asked in #bugsmash) so changing to a task. Also adding Usability tag because of the change in behavior in the UI.
I have updated the Issue Summary.
It is possible to upload files with arbitrary extensions into the config full import form. The files then fail extraction, but the file extension is not validated in the first place.
The security team is happy with this being a public hardening issue because only those with a restricted permission can access this form
Validate the file extensions. We cannot rely on the regular #upload_validators for this because those only work for managed files.
Update the patch
Add tests
Review
Commit
Instead of cryptic error messages from the tar extractor, a proper error message is displayed when uploading incorrect files in the config import form.
None.
None.
Needs work
9.5
Last updated
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Makes Drupal easier to use. Preferred over UX, D7UX, etc.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This is still true for Drupal 10.1.x. However, this is not a bug (I asked in #bugsmash) so changing to a task. Also adding Usability tag because of the change in behavior in the UI.
I have updated the Issue Summary.