From 84003e47bdef397f9ff7d62ee2848edee23aaa15 Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Fri, 25 Jun 2010 04:36:49 +0000
Subject: [PATCH] #803926 by dhthwy: Fixed File field shouldn't allow any file
 extension to be uploaded when the list of allowed extensions is left blank.

---
 modules/file/file.field.inc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/file/file.field.inc b/modules/file/file.field.inc
index ddd449e7e8dd..12420d846fc7 100644
--- a/modules/file/file.field.inc
+++ b/modules/file/file.field.inc
@@ -122,9 +122,12 @@ function file_field_instance_settings_form($field, $instance) {
     '#type' => 'textfield',
     '#title' => t('Allowed file extensions'),
     '#default_value' => $extensions,
-    '#description' => t('Separate extensions with a space or comma and do not include the leading dot. Leaving this blank will allow users to upload a file with any extension.'),
+    '#description' => t('Separate extensions with a space or comma and do not include the leading dot.'),
     '#element_validate' => array('_file_generic_settings_extensions'),
     '#weight' => 1,
+    // By making this field required, we prevent a potential security issue
+    // that would allow files of any type to be uploaded.
+    '#required' => TRUE,
   );
 
   $form['max_filesize'] = array(
-- 
GitLab