Drupal core uses a new Drupal\Core\File\Event\FileUploadSanitizeNameEvent event in order to sanitize a filename prior to saving an uploaded file. If an entity has a file field, the event will be triggered via the form widget, REST API or JSON:API when a file is attached to an entity.
If code uses the file form element type (\Drupal\Core\Render\Element\File it is up to the implementation to save the file upload. The best way to do this is to call file_save_upload() which will call the new API and file validation functions correctly. However, if custom or contrib code is calling file_munge_filename() and doing the security rename itself, it needs to be changed to trigger the new event or call file_save_upload().
The returned event has the sanitized filename and a flag which indicates if it has been renamed for security reasons.
For example:
$event = new FileUploadSanitizeNameEvent($filename, $extensions);
\Drupal::service('event_dispatcher')->dispatch($event);
$sanitized_filename = $event->getFilename();
$is_security_rename = $event->isSecurityRename();
Using an event means that filename sanitization can be extended (e.g. transliteration, lowercase, remove whitespace) by implementing an event subscriber.
Drupal core adds a final security related event subscriber Drupal\system\EventSubscriber\SecurityFileUploadEventSubscriber which implements the same logic as file_munge_filename().
Deprecations
file_munge_filename()- replaced by the event processfile_unmunge_filename()- there is no direct replacementFILE_INSECURE_EXTENSION_REGEXconstant - replaced by\Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSION_REGEX
