From 84003e47bdef397f9ff7d62ee2848edee23aaa15 Mon Sep 17 00:00:00 2001 From: Angie Byron <webchick@24967.no-reply.drupal.org> Date: Fri, 25 Jun 2010 04:36:49 +0000 Subject: [PATCH] #803926 by dhthwy: Fixed File field shouldn't allow any file extension to be uploaded when the list of allowed extensions is left blank. --- modules/file/file.field.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/file/file.field.inc b/modules/file/file.field.inc index ddd449e7e8dd..12420d846fc7 100644 --- a/modules/file/file.field.inc +++ b/modules/file/file.field.inc @@ -122,9 +122,12 @@ function file_field_instance_settings_form($field, $instance) { '#type' => 'textfield', '#title' => t('Allowed file extensions'), '#default_value' => $extensions, - '#description' => t('Separate extensions with a space or comma and do not include the leading dot. Leaving this blank will allow users to upload a file with any extension.'), + '#description' => t('Separate extensions with a space or comma and do not include the leading dot.'), '#element_validate' => array('_file_generic_settings_extensions'), '#weight' => 1, + // By making this field required, we prevent a potential security issue + // that would allow files of any type to be uploaded. + '#required' => TRUE, ); $form['max_filesize'] = array( -- GitLab