File extension validation on replacing file uses wrong property

… was this not a security vulnerability?

And why was this committed without any test coverage?

Neither the 8.x-2.x nor the 7.x-2.x branches of this project are covered by the Drupal security team.

Feel free to make it so.

Also, correct me if I am wrong, I believe that the 8.x branch of this project is superceded by something that was added to 8.4.x core (media entity?)

Currently, my clients pay me handsomely to do 7.x. However, any 8.x work I do is charity work unpaid.

Project page states clearly 'use at your own risk' not covered by security policy.

I am finding that this patch, already committed, is causing problems.

I created a new issue: #2951653: Default file extensions are being used for validation during file upload.

By the way, I'm not so sure any of this code is preventing the filename from being renamed into a string with an invalid extension. At least when I do my tests, changing the filename field in the /file/{fid}/edit page allows a bad extension to be accepted. With or without the the addition of the FileEntityItem class I am unable to replace the file with a new file that has an invalid extension.

This should not have been committed.

As #11 and the referenced issue shows, this seems to be causing problems and it is unclear if the problem is really fixed.

More importantly, this change causes the tests to fail, which was not noticed because the old test configuration is no longer supported and patches have not been tested automatically.

Whatever we do exactly will at least need to pass tests and should have test coverage for the bug it fixes.

Note: The commit doesn't want to show up somehow, but i did revert this.

I don't know if it's related but we're no longer able to upload SVG file since the update to Drupal 8.5.x. We had used the core patch to add SVG which worked well. The patch was improved and commit in the core and now, when we try to upload SVG file, we are block to the validation.

When I study the bug with xdebug, I see in file_validate_is_image of file.module than the validation function isn't able to find the mimetype and the temporary file doesn't have extension. So, the code never find the type of the file.

I've some difficulties to understand what's the part of the core and the part of the file_entity module in this bug.

@Calystod: This is file_entity and not the core file module. Maybe you wanted to post that in core?

As mentioned, the patch that was committed here has been reverted again and is not in the latest version.

Yes, when I look with xdebug, the file is a file_entity but is validated with core functions. So I don't know if the file_entity in miscontruct or if something is missing in core functions.

I see the patch has been revert, but my validation problem seems to look like the initial bug, even if I don't know if they are related in the code.

Sorry if my posts seem confuse.

I fix the problem with the installation of the module SVG Image