Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By dww on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
9.2.x
Introduced in version:
9.2.0
Issue links:
Description:
For file uploads, insecure file names end in .phar, .php, .pl, .py, .cgi, .asp or .js or contain either of these extensions as one of the file extensions, eg. example.php.jpg.
Previously, if a user or API client attempted to upload a file with one of these insecure file extensions, Drupal would always rename the file to append a '.txt' at the end to ensure the web server could not attempt to execute the file. (Additionally to modifying the dangerous extension. Eg. example.php uploaded would become example.php_.txt.) This happened even for file fields that were configured not to allow .txt files to be uploaded.
Now, Drupal will only automatically rename these potentially insecure files to .txt if the file field is configured to allow .txt files. If the field does not allow .txt files, any upload involving any of these potentially insecure file extension will now be rejected.
An update path is provided to automatically add 'txt' to the allowed file extensions for any field that previously allowed the dangerous extensions to attempt to preserve the previous behavior. However, site administrators are encouraged to review these changes and ensure this is actually desired.
Furthermore, API clients (JSON:API, REST, etc) that upload files might potentially start getting rejected if they rely on the old behavior and the site decides to not use the new configuration.
Impacts:
Site builders, administrators, editors
Site templates, recipes and distribution developers
