- Issue created by @ram4nd
- πΈπ°Slovakia poker10
I reviewed the issue and it seems like that the new permission proposed in the s.d.o. patch (and the MR) is not required anymore, as we already have "administer fields" permission in D7, starting from 2016 (see here: #611294: Refine permissions for Field UI β ). This permission is restricted (https://api.drupal.org/api/drupal/modules%21field%21field.module/functio...). The permission is used to protect fields UI, so it means that only trusted users can currently adjust allowed extensions on a specific field.
The second part of the MR (where .html and .htm) are added to the
FILE_INSECURE_EXTENSIONS
is a hardening, but I do not think we can do such change in this D7 phase. Adding this would affect all sites and disable uploads of html files, unless sites allow all insecure extensions using theallow_insecure_uploads
configuration option. I think that would be a big change for existing sites. Also html and htm extensions are not marked as insecure in Drupal 8+ (see: https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co...).If all my findings are correct, I propose to close this as Won't fix. Or we can keep this issue for Drupal 10/11 to consider adding .html and .htm to
INSECURE_EXTENSIONS
. Any thoughts? Thanks!