Uploading files that have '.' characters in the name can sometimes trigger the renaming in the sanitizeName function of the FileUploadSanitizeNameEvent.
This is happening because the regex is assuming that anything after the first '.' character is an extension and does not allow for patterns that are 2-5 letters long and optionally followed by a digit.
1. Go to /media/add/image
2. Upload a file with the name "test.image.jpg"
3. Verify the "For security reasons, your upload has been renamed to..." message appears
4. Upload a file with the name "test.images.jpg"
5. Verify the image we uploaded successfully.
in `web/core/modules/system/src/EventSubscriber/SecurityFileUploadEventSubscriber.php` change:
elseif (!empty($extensions) && !in_array(strtolower($filename_part), $extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
To:
elseif (!empty($extensions) && !in_array(strtolower($filename_part), $extensions) && in_array(strtolower($filename_part), FileSystemInterface::INSECURE_EXTENSIONS, TRUE)) {
Active
11.1 π₯
file system
@vetchneons is this a regression due to π Always rename dot files like Drupal 7 Needs work (which was just committed yesterday) or does it pre-exist that issue?
@catch, thanks for the quick reply -- this predates that issue.