The url used contains a sub-filextension which poses a security threat. Saving not allowed.

Thanks. I've included a fix on the dev branch. Let me know if this works for you and then I will re-release.

It seems the dev branch hasn't updated yet. I've pushed out the change into a 7.x-2.9 release now anyway so that should sort it.

Just installed a fresh Drupal 7 site using live_css version 7.x-2.9. This was derived from a staging site, which also had live_css version 7.x-2.9. Both sites have identical file structures and identically-named css files. We had no issues on the staging site, but on the new site we encounter the "The url used contains ..." message, followed by the message "For security reasons, your upload has been renamed ..." on a subsequent page load. Both sites have variable 'allow_insecure_uploads' set to FALSE, so file_munge_filename() should work the same on both sites. Ideas?

I was asked to add this as a security fix. The previous version doesn't use the file_munge_filename for security.

Can you see what the path is that is being saved? It should then hopefully be obvious why it is returning the error.

Normally it will give an error for filenames that contain a '.'. So any file that looks like file.php.less will not be able to be saved.

If you let me know the full filename I can try and give some suggestions or see if this is a bug.

Found it. The site root folder was named subdomain.example.com. By changing the site root folder to subdomain_example_com, I avoided triggering the file_munge_filename() failure. Thank you for the fast response!

Glad that worked. Unfortunately I have to add this in for security - sorry about that!

Is there any way around this? On a multi-site drupal install the directories are named as the domain name i.e. sites/mydomain.com

Ok, I can see how that can be a problem. I've added a fix that should restrict the check to the filename only. It is in the development branch, and should update shortly (can take a few hours).