Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This was noticed by @effulgentsia.
Currently when a temporary file is actually uploaded to the server by Plupload, we validate it with preg_match('/^\w+\.tmp$/', $file_name)
. When that temporary file is going through the form API validation process before being copied, though, we validate it with a looser set of criteria.
Both should be safe, but for consistency we should use the same (more stringent) file name validation in both places.