[D7] Add phtml files to the list of potentially malicious extensions

This change was just committed to D9/10.

Uploading two patches:

- 3214047-3-update-extensions.patch - only updates the list of unsafe extensions on all three places where these are used.

- 3214047-3-new-constant.patch - updates the list of unsafe extensions and creates a new constant to use on all three places.

I also looked at the tests, but it seems that D7 is currently not testing all these unsafe extensions at all. Only selected use-cases (extensions) are tested in various functions, but we do not have a general test like the one in D10 (SecurityFileUploadEventSubscriberTest::testSanitizeName()). For example the asp extension is not tested anywhere. That's why I have not backported the test changes from D10 patch. Probably the best approach will be to create a follow-up issue, where we should consider adding tests for all these extensions (including phtml).

@poker10, these patches look good - they appear to conform to coding standards, are clear, and make good use of the API. I tried out 3214047-3-new-constant.patch on my local d7 site and it works for me. I'm going to boldly mark this as RTBC.

Adding a tag for the final review. I think the benefits of this patch are greater that the need of a complete new tests (see #3), but if needed, we can do that in this issue also.

D9/10 has constants for this:

https://git.drupalcode.org/project/drupal/-/blob/10.1.0-beta1/core/lib/D...

So I vote for 3214047-3-new-constant.patch and am happy for that to be committed.

Committed, thanks!

Created a follow-up issue for tests: 📌 [D7] Add tests for handling files with insecure extensions Active

Automatically closed - issue fixed for 2 weeks with no activity.