- Issue created by @vetchneons
- ๐ฌ๐งUnited Kingdom catch
@vetchneons is this a regression due to ๐ Always rename dot files like Drupal 7 Needs work (which was just committed yesterday) or does it pre-exist that issue?
- ๐บ๐ธUnited States vetchneons
@catch, thanks for the quick reply -- this predates that issue.
- ๐ณ๐ฟNew Zealand quietone
In Drupal core changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies โ . Also mentioned on the version โ section of the list of issue fields documentation.
- First commit to issue fork.
- Merge request !12503Update file SecurityFileUploadEventSubscriber.php โ (Open) created by immaculatexavier
- ๐ฎ๐ณIndia immaculatexavier
Created MR in accordance to the Proposed resolution against 11.x.
- ๐บ๐ธUnited States smustgrave
@ immaculatexavier thanks but did you read the comments? Just blindly taking the proposed solution isnโt always the way.
@ vetchneons did the issue catch post resolve this issue?
NW because this has no test coverage
- ๐บ๐ธUnited States vetchneons
@smustgrave, thanks for asking. I am not seeing the issue resolved with the changes applied from the issue @catch posted.
I tested both with allow_insecure_uploads set to "true" and "false".
In both instances, the behavior I described above is still happening: "test.image.jpg" is getting renamed and "test.images.jpg" is not.
I see this code goes back to Drupal 4 for SA-2006-006. I don't know enough about the issue to know if what this regex is trying to capture is mitigated by something else, or if it's still good to have this as a check.
It was confusing to try to track down when the filename had two '.' in it, and the string after the first '.' didn't resemble a file extension.