diff --git a/core/modules/file/src/Tests/FileFieldWidgetTest.php b/core/modules/file/src/Tests/FileFieldWidgetTest.php
index bef39f17eb..fb61822d3a 100644
--- a/core/modules/file/src/Tests/FileFieldWidgetTest.php
+++ b/core/modules/file/src/Tests/FileFieldWidgetTest.php
@@ -336,6 +336,37 @@ public function testPrivateFileSetting() {
     $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.');
   }
 
+  /**
+   * Tests configuring file field's allowed file extensions setting.
+   */
+  public function testFileExtensionsSetting() {
+    // Grant the admin user required permissions.
+    user_role_grant_permissions($this->adminUser->roles[0]->target_id, ['administer node fields']);
+
+    $type_name = 'article';
+    $field_name = strtolower($this->randomMachineName());
+    $this->createFileField($field_name, 'node', $type_name);
+    $field = FieldConfig::loadByName('node', $type_name, $field_name);
+    $field_id = $field->id();
+
+    // By default allowing PHP files without TXT is not permitted.
+    $edit = ['settings[file_extensions]' => 'jpg php'];
+    $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id", $edit, t('Save settings'));
+    $this->assertText('The extension php is insecure. In order to allow it to be uploaded allow the "txt" extension.');
+
+    // Test allowing PHP and TXT.
+    $edit = ['settings[file_extensions]' => 'jpg php txt'];
+    $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id", $edit, t('Save settings'));
+    $this->assertText('Saved ' . $field_name . ' configuration.');
+
+    // If the system is configured to allow insecure uploads, TXT is not
+    // required when allowing PHP.
+    $this->config('system.file')->set('allow_insecure_uploads', TRUE)->save();
+    $edit = ['settings[file_extensions]' => 'jpg php'];
+    $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id", $edit, t('Save settings'));
+    $this->assertText('Saved ' . $field_name . ' configuration.');
+  }
+
   /**
    * Tests that download restrictions on private files work on comments.
    */