Low-level file upload handling buggy when allowing all file extensions

Created on 23 November 2017, over 6 years ago
Updated 30 January 2023, over 1 year ago

Problem/Motivation

There are use cases where a managed file upload form element should allow files with any extension (or even without an extension). file_save_upload supports this use case, but it is broken.

According to code docs, file_save_upload allows "any extension" by specifying the following for $validators:

To allow all extensions, you must explicitly set this array to ['file_validate_extensions' => ''].

Unfortunately, this is broken in the following circumstances:

  1. When uploading multiple files at once, the first file is allowed to be any extension, but any subsequent files are restricted to the default set of extensions. This is due to a logic error in file_save_upload.
  2. When rendering the file_upload_help template with those upload validators, the following erroneous item is included: "Allowed types: ." because template_preprocess_file_upload_help does not take into account this use case.

Note: this issue is specifically about lower-level usage of the managed file upload form element and related functions. There is a separate issue about the file entity field, which explicitly does not allow this use case for security reasons: #803926: File field shouldn't allow any file extension to be uploaded when the list of allowed extensions is left blank β†’ Although there is a proposal to make the file entity field more flexible: #997900: Not possible to allow uploading files with any file extension β†’

Proposed resolution

Fix file_save_upload to make it work as documented for multiple file uploads, and add support for this upload validator definition to template_preprocess_file_upload_help by excluding any mention of allowed file types if all file extensions are permitted.

Remaining tasks

I am working on a patch, and I'm trying not to impact πŸ“Œ Convert web tests to browser tests for file module Fixed .

User interface changes

N/A

API changes

None.

Data model changes

None.

πŸ› Bug report
Status

Needs work

Version

9.5

Component
File moduleΒ  β†’

Last updated 3 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States decafdennis

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

Production build 0.69.0 2024