Update Drupal core 7.75

2020-12-02 14:02:45 +01:00 · 2020-12-02 14:02:45 +01:00 · 3e7e767516
commit 3e7e767516
parent ad0243e7b7
138 changed files with 674 additions and 432 deletions
--- a/frontend/drupal/CHANGELOG.txt
+++ b/frontend/drupal/CHANGELOG.txt
@ -1,3 +1,13 @@
+Drupal 7.75, 2020-11-26
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-013
+
+Drupal 7.74, 2020-11-17
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-012
+
 Drupal 7.73, 2020-09-16
 -----------------------
 - Fixed security issues:
--- a/frontend/drupal/includes/bootstrap.inc
+++ b/frontend/drupal/includes/bootstrap.inc
@ -8,7 +8,7 @@
 /**
 * The current system version.
 */
-define('VERSION', '7.73');
+define('VERSION', '7.75');

 /**
 * Core API compatibility.
--- a/frontend/drupal/includes/file.inc
+++ b/frontend/drupal/includes/file.inc
@ -1147,8 +1147,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
 * exploit.php_.pps.
 *
 * Specifically, this function adds an underscore to all extensions that are
- * between 2 and 5 characters in length, internal to the file name, and not
- * included in $extensions.
+ * between 2 and 5 characters in length, internal to the file name, and either
+ * included in the list of unsafe extensions, or not included in $extensions.
 *
 * Function behavior is also controlled by the Drupal variable
 * 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no
@ -1157,7 +1157,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
 * @param $filename
 *   File name to modify.
 * @param $extensions
- *   A space-separated list of extensions that should not be altered.
+ *   A space-separated list of extensions that should not be altered. Note that
+ *   extensions that are unsafe will be altered regardless of this parameter.
 * @param $alerts
 *   If TRUE, drupal_set_message() will be called to display a message if the
 *   file name was changed.
@ -1175,6 +1176,10 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {

    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));

+    // Remove unsafe extensions from the list of allowed extensions. The list is
+    // copied from file_save_upload().
+    $whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));
+
    // Split the filename up by periods. The first part becomes the basename
    // the last part the final extension.
    $filename_parts = explode('.', $filename);
@ -1542,6 +1547,7 @@ function file_save_upload($form_field_name, $validators = array(), $destination
    $validators['file_validate_extensions'][0] = $extensions;
  }

+  if (!variable_get('allow_insecure_uploads', 0)) {
    if (!empty($extensions)) {
      // Munge the filename to protect against possible malicious extension hiding
      // within an unknown file type (ie: filename.html.foo).
@ -1549,18 +1555,27 @@ function file_save_upload($form_field_name, $validators = array(), $destination
    }

    // Rename potentially executable files, to help prevent exploits (i.e. will
-  // rename filename.php.foo and filename.php to filename.php.foo.txt and
-  // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
+    // rename filename.php.foo and filename.php to filename.php_.foo_.txt and
+    // filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'
    // evaluates to TRUE.
-  if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+    if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
+      // If the file will be rejected anyway due to a disallowed extension, it
+      // should not be renamed; rather, we'll let file_validate_extensions()
+      // reject it below.
+      if (!isset($validators['file_validate_extensions']) || !file_validate_extensions($file, $extensions)) {
        $file->filemime = 'text/plain';
+        if (substr($file->filename, -4) != '.txt') {
          // The destination filename will also later be used to create the URI.
          $file->filename .= '.txt';
+        }
+        $file->filename = file_munge_filename($file->filename, $extensions, FALSE);
+        drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
        // The .txt extension may not be in the allowed list of extensions. We have
        // to add it here or else the file upload will fail.
-    if (!empty($extensions)) {
+        if (!empty($validators['file_validate_extensions'][0])) {
          $validators['file_validate_extensions'][0] .= ' txt';
-      drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
+        }
+      }
    }
  }

@ -1728,7 +1743,18 @@ function file_validate(stdClass &$file, $validators = array()) {
  }

  // Let other modules perform validation on the new file.
-  return array_merge($errors, module_invoke_all('file_validate', $file));
+  $errors = array_merge($errors, module_invoke_all('file_validate', $file));
+
+  // Ensure the file does not contain a malicious extension. At this point
+  // file_save_upload() will have munged the file so it does not contain a
+  // malicious extension. Contributed and custom code that calls this method
+  // needs to take similar steps if they need to permit files with malicious
+  // extensions to be uploaded.
+  if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {
+    $errors[] = t('For security reasons, your upload has been rejected.');
+  }
+
+  return $errors;
 }

 /**
--- a/frontend/drupal/modules/aggregator/aggregator.info
+++ b/frontend/drupal/modules/aggregator/aggregator.info
@ -7,7 +7,7 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/aggregator/tests/aggregator_test.info
+++ b/frontend/drupal/modules/aggregator/tests/aggregator_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/block/block.info
+++ b/frontend/drupal/modules/block/block.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/block/tests/block_test.info
+++ b/frontend/drupal/modules/block/tests/block_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/block/tests/themes/block_test_theme/block_test_theme.info
+++ b/frontend/drupal/modules/block/tests/themes/block_test_theme/block_test_theme.info
@ -13,7 +13,7 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/blog/blog.info
+++ b/frontend/drupal/modules/blog/blog.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = blog.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/book/book.info
+++ b/frontend/drupal/modules/book/book.info
@ -7,7 +7,7 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/color/color.info
+++ b/frontend/drupal/modules/color/color.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = color.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/comment/comment.info
+++ b/frontend/drupal/modules/comment/comment.info
@ -9,7 +9,7 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/contact/contact.info
+++ b/frontend/drupal/modules/contact/contact.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/contextual/contextual.info
+++ b/frontend/drupal/modules/contextual/contextual.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = contextual.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/dashboard/dashboard.info
+++ b/frontend/drupal/modules/dashboard/dashboard.info
@ -7,7 +7,7 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/dblog/dblog.info
+++ b/frontend/drupal/modules/dblog/dblog.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = dblog.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/field.info
+++ b/frontend/drupal/modules/field/field.info
@ -11,7 +11,7 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/field_sql_storage/field_sql_storage.info
+++ b/frontend/drupal/modules/field/modules/field_sql_storage/field_sql_storage.info
@ -7,7 +7,7 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/list/list.info
+++ b/frontend/drupal/modules/field/modules/list/list.info
@ -7,7 +7,7 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/list/tests/list_test.info
+++ b/frontend/drupal/modules/field/modules/list/tests/list_test.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/number/number.info
+++ b/frontend/drupal/modules/field/modules/number/number.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = number.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/options/options.info
+++ b/frontend/drupal/modules/field/modules/options/options.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = options.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/modules/text/text.info
+++ b/frontend/drupal/modules/field/modules/text/text.info
@ -7,7 +7,7 @@ dependencies[] = field
 files[] = text.test
 required = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field/tests/field_test.info
+++ b/frontend/drupal/modules/field/tests/field_test.info
@ -6,7 +6,7 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/field_ui/field_ui.info
+++ b/frontend/drupal/modules/field_ui/field_ui.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/file/file.info
+++ b/frontend/drupal/modules/file/file.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/file/tests/file_module_test.info
+++ b/frontend/drupal/modules/file/tests/file_module_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/filter/filter.info
+++ b/frontend/drupal/modules/filter/filter.info
@ -7,7 +7,7 @@ files[] = filter.test
 required = TRUE
 configure = admin/config/content/formats

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/forum/forum.info
+++ b/frontend/drupal/modules/forum/forum.info
@ -9,7 +9,7 @@ files[] = forum.test
 configure = admin/structure/forum
 stylesheets[all][] = forum.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/help/help.info
+++ b/frontend/drupal/modules/help/help.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = help.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/image/image.info
+++ b/frontend/drupal/modules/image/image.info
@ -7,7 +7,7 @@ dependencies[] = file
 files[] = image.test
 configure = admin/config/media/image-styles

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/image/tests/image_module_test.info
+++ b/frontend/drupal/modules/image/tests/image_module_test.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = image_module_test.module
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/locale/locale.info
+++ b/frontend/drupal/modules/locale/locale.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = locale.test
 configure = admin/config/regional/language

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/locale/tests/locale_test.info
+++ b/frontend/drupal/modules/locale/tests/locale_test.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/menu/menu.info
+++ b/frontend/drupal/modules/menu/menu.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = menu.test
 configure = admin/structure/menu

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/node/node.info
+++ b/frontend/drupal/modules/node/node.info
@ -9,7 +9,7 @@ required = TRUE
 configure = admin/structure/types
 stylesheets[all][] = node.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/node/tests/node_access_test.info
+++ b/frontend/drupal/modules/node/tests/node_access_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/node/tests/node_test.info
+++ b/frontend/drupal/modules/node/tests/node_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/node/tests/node_test_exception.info
+++ b/frontend/drupal/modules/node/tests/node_test_exception.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/openid/openid.info
+++ b/frontend/drupal/modules/openid/openid.info
@ -5,7 +5,7 @@ package = Core
 core = 7.x
 files[] = openid.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/openid/tests/openid_test.info
+++ b/frontend/drupal/modules/openid/tests/openid_test.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = openid
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/overlay/overlay.info
+++ b/frontend/drupal/modules/overlay/overlay.info
@ -4,7 +4,7 @@ package = Core
 version = VERSION
 core = 7.x

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/path/path.info
+++ b/frontend/drupal/modules/path/path.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = path.test
 configure = admin/config/search/path

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/php/php.info
+++ b/frontend/drupal/modules/php/php.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = php.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/poll/poll.info
+++ b/frontend/drupal/modules/poll/poll.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = poll.test
 stylesheets[all][] = poll.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/profile/profile.info
+++ b/frontend/drupal/modules/profile/profile.info
@ -11,7 +11,7 @@ configure = admin/config/people/profile
 ; See user_system_info_alter().
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/rdf/rdf.info
+++ b/frontend/drupal/modules/rdf/rdf.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 files[] = rdf.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/rdf/tests/rdf_test.info
+++ b/frontend/drupal/modules/rdf/tests/rdf_test.info
@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = blog

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/search/search.info
+++ b/frontend/drupal/modules/search/search.info
@ -8,7 +8,7 @@ files[] = search.test
 configure = admin/config/search/settings
 stylesheets[all][] = search.css

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/search/tests/search_embedded_form.info
+++ b/frontend/drupal/modules/search/tests/search_embedded_form.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/search/tests/search_extra_type.info
+++ b/frontend/drupal/modules/search/tests/search_extra_type.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/search/tests/search_node_tags.info
+++ b/frontend/drupal/modules/search/tests/search_node_tags.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/shortcut/shortcut.info
+++ b/frontend/drupal/modules/shortcut/shortcut.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = shortcut.test
 configure = admin/config/user-interface/shortcut

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/simpletest.info
+++ b/frontend/drupal/modules/simpletest/simpletest.info
@ -58,7 +58,7 @@ files[] = tests/upgrade/update.trigger.test
 files[] = tests/upgrade/update.field.test
 files[] = tests/upgrade/update.user.test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/actions_loop_test.info
+++ b/frontend/drupal/modules/simpletest/tests/actions_loop_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/ajax_forms_test.info
+++ b/frontend/drupal/modules/simpletest/tests/ajax_forms_test.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/ajax_test.info
+++ b/frontend/drupal/modules/simpletest/tests/ajax_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/batch_test.info
+++ b/frontend/drupal/modules/simpletest/tests/batch_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/boot_test_1.info
+++ b/frontend/drupal/modules/simpletest/tests/boot_test_1.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/boot_test_2.info
+++ b/frontend/drupal/modules/simpletest/tests/boot_test_2.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/common_test.info
+++ b/frontend/drupal/modules/simpletest/tests/common_test.info
@ -7,7 +7,7 @@ stylesheets[all][] = common_test.css
 stylesheets[print][] = common_test.print.css
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/common_test_cron_helper.info
+++ b/frontend/drupal/modules/simpletest/tests/common_test_cron_helper.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/database_test.info
+++ b/frontend/drupal/modules/simpletest/tests/database_test.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/drupal_autoload_test/drupal_autoload_test.info
+++ b/frontend/drupal/modules/simpletest/tests/drupal_autoload_test/drupal_autoload_test.info
@ -7,7 +7,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
+++ b/frontend/drupal/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
+++ b/frontend/drupal/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/entity_cache_test.info
+++ b/frontend/drupal/modules/simpletest/tests/entity_cache_test.info
@ -6,7 +6,7 @@ core = 7.x
 dependencies[] = entity_cache_test_dependency
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/entity_cache_test_dependency.info
+++ b/frontend/drupal/modules/simpletest/tests/entity_cache_test_dependency.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/entity_crud_hook_test.info
+++ b/frontend/drupal/modules/simpletest/tests/entity_crud_hook_test.info
@ -5,7 +5,7 @@ package = Testing
 version = VERSION
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/entity_query_access_test.info
+++ b/frontend/drupal/modules/simpletest/tests/entity_query_access_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/error_test.info
+++ b/frontend/drupal/modules/simpletest/tests/error_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/file.test
+++ b/frontend/drupal/modules/simpletest/tests/file.test
@ -706,7 +706,7 @@ class FileSaveUploadTest extends FileHookTestCase {
    $edit = array(
      'file_test_replace' => FILE_EXISTS_REPLACE,
      'files[file_test_upload]' => drupal_realpath($this->image->uri),
-      'allow_all_extensions' => TRUE,
+      'allow_all_extensions' => 'empty_array',
    );
    $this->drupalPost('file-test/upload', $edit, t('Submit'));
    $this->assertResponse(200, 'Received a 200 response for posted test file.');
@ -715,14 +715,35 @@ class FileSaveUploadTest extends FileHookTestCase {

    // Check that the correct hooks were called.
    $this->assertFileHooksCalled(array('validate', 'load', 'update'));
+
+    // Reset the hook counters.
+    file_test_reset();
+
+    // Now tell file_save_upload() to allow any extension and try and upload a
+    // malicious file.
+    $edit = array(
+      'file_test_replace' => FILE_EXISTS_REPLACE,
+      'files[file_test_upload]' => drupal_realpath($this->phpfile->uri),
+      'is_image_file' => FALSE,
+      'allow_all_extensions' => 'empty_array',
+    );
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>';
+    $this->assertRaw($message, 'Dangerous file was renamed.');
+    $this->assertText('File name is php-2.php_.txt.');
+    $this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed.");
+    $this->assertRaw(t('You WIN!'), 'Found the success message.');
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate', 'insert'));
  }

  /**
   * Test dangerous file handling.
   */
  function testHandleDangerousFile() {
-    // Allow the .php extension and make sure it gets renamed to .txt for
-    // safety. Also check to make sure its MIME type was changed.
+    // Allow the .php extension and make sure it gets munged and given a .txt
+    // extension for safety. Also check to make sure its MIME type was changed.
    $edit = array(
      'file_test_replace' => FILE_EXISTS_REPLACE,
      'files[file_test_upload]' => drupal_realpath($this->phpfile->uri),
@ -732,8 +753,9 @@ class FileSaveUploadTest extends FileHookTestCase {

    $this->drupalPost('file-test/upload', $edit, t('Submit'));
    $this->assertResponse(200, 'Received a 200 response for posted test file.');
-    $message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '.txt' . '</em>';
+    $message = t('For security reasons, your upload has been renamed to') . ' <em class="placeholder">' . $this->phpfile->filename . '_.txt' . '</em>';
    $this->assertRaw($message, 'Dangerous file was renamed.');
+    $this->assertRaw('File name is php-2.php_.txt.');
    $this->assertRaw(t('File MIME type is text/plain.'), "Dangerous file's MIME type was changed.");
    $this->assertRaw(t('You WIN!'), 'Found the success message.');

@ -755,8 +777,39 @@ class FileSaveUploadTest extends FileHookTestCase {
    // Check that the correct hooks were called.
    $this->assertFileHooksCalled(array('validate', 'insert'));

-    // Turn off insecure uploads.
+    // Reset the hook counters.
+    file_test_reset();
+
+    // Even with insecure uploads allowed, the .php file should not be uploaded
+    // if it is not explicitly included in the list of allowed extensions.
+    $edit['extensions'] = 'foo';
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>';
+    $this->assertRaw($message, 'Cannot upload a disallowed extension');
+    $this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate'));
+
+    // Reset the hook counters.
+    file_test_reset();
+
+    // Turn off insecure uploads, then try the same thing as above (ensure that
+    // the .php file is still rejected since it's not in the list of allowed
+    // extensions).
    variable_set('allow_insecure_uploads', 0);
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $message = t('Only files with the following extensions are allowed:') . ' <em class="placeholder">' . $edit['extensions'] . '</em>';
+    $this->assertRaw($message, 'Cannot upload a disallowed extension');
+    $this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate'));
+
+    // Reset the hook counters.
+    file_test_reset();
  }

  /**
@ -765,6 +818,7 @@ class FileSaveUploadTest extends FileHookTestCase {
  function testHandleFileMunge() {
    // Ensure insecure uploads are disabled for this test.
    variable_set('allow_insecure_uploads', 0);
+    $original_image_uri = $this->image->uri;
    $this->image = file_move($this->image, $this->image->uri . '.foo.' . $this->image_extension);

    // Reset the hook counters to get rid of the 'move' we just called.
@ -789,13 +843,33 @@ class FileSaveUploadTest extends FileHookTestCase {
    // Check that the correct hooks were called.
    $this->assertFileHooksCalled(array('validate', 'insert'));

+    // Reset the hook counters.
+    file_test_reset();
+
+    // Ensure we don't munge the .foo extension if it is in the list of allowed
+    // extensions.
+    $extensions = 'foo ' . $this->image_extension;
+    $edit = array(
+      'files[file_test_upload]' => drupal_realpath($this->image->uri),
+      'extensions' => $extensions,
+    );
+
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found no security message.');
+    $this->assertRaw(t('File name is @filename', array('@filename' => 'image-test.png.foo.png')), 'File was not munged when all extensions within it are allowed.');
+    $this->assertRaw(t('You WIN!'), 'Found the success message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate', 'insert'));
+
    // Ensure we don't munge files if we're allowing any extension.
    // Reset the hook counters.
    file_test_reset();

    $edit = array(
      'files[file_test_upload]' => drupal_realpath($this->image->uri),
-      'allow_all_extensions' => TRUE,
+      'allow_all_extensions' => 'empty_array',
    );

    $this->drupalPost('file-test/upload', $edit, t('Submit'));
@ -806,6 +880,94 @@ class FileSaveUploadTest extends FileHookTestCase {

    // Check that the correct hooks were called.
    $this->assertFileHooksCalled(array('validate', 'insert'));
+
+    // Test that a dangerous extension such as .php is munged even if it is in
+    // the list of allowed extensions.
+    $this->image = file_move($this->image, $original_image_uri . '.php.' . $this->image_extension);
+    // Reset the hook counters.
+    file_test_reset();
+
+    $extensions = 'php ' . $this->image_extension;
+    $edit = array(
+      'files[file_test_upload]' => drupal_realpath($this->image->uri),
+      'extensions' => $extensions,
+    );
+
+    $munged_filename = $this->image->filename;
+    $munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.'));
+    $munged_filename .= '_.' . $this->image_extension;
+
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
+    $this->assertRaw(t('File name is @filename', array('@filename' => $munged_filename)), 'File was successfully munged.');
+    $this->assertRaw(t('You WIN!'), 'Found the success message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate', 'insert'));
+
+    // Reset the hook counters.
+    file_test_reset();
+
+    // Dangerous extensions are munged even when all extensions are allowed.
+    $edit = array(
+      'files[file_test_upload]' => drupal_realpath($this->image->uri),
+      'allow_all_extensions' => 'empty_array',
+    );
+
+    $munged_filename = $this->image->filename;
+    $munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.'));
+    $munged_filename .= '_.' . $this->image_extension;
+
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
+    $this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.php_.png_.txt')), 'File was successfully munged.');
+    $this->assertRaw(t('You WIN!'), 'Found the success message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate', 'insert'));
+
+    // Dangerous extensions are munged if is renamed to end in .txt.
+    $this->image = file_move($this->image, $original_image_uri . '.cgi.' . $this->image_extension . '.txt');
+    // Reset the hook counters.
+    file_test_reset();
+
+    $edit = array(
+      'files[file_test_upload]' => drupal_realpath($this->image->uri),
+      'allow_all_extensions' => 'empty_array',
+    );
+
+    $munged_filename = $this->image->filename;
+    $munged_filename = substr($munged_filename, 0, strrpos($munged_filename, '.'));
+    $munged_filename .= '_.' . $this->image_extension;
+
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
+    $this->assertRaw(t('File name is @filename.', array('@filename' => 'image-test.png_.cgi_.png_.txt')), 'File was successfully munged.');
+    $this->assertRaw(t('You WIN!'), 'Found the success message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate', 'insert'));
+
+    // Reset the hook counters.
+    file_test_reset();
+
+    // Ensure that setting $validators['file_validate_extensions'] = array('')
+    // rejects all files without munging or renaming.
+    $edit = array(
+        'files[file_test_upload]' => drupal_realpath($this->image->uri),
+        'allow_all_extensions' => 'empty_string',
+    );
+
+    $this->drupalPost('file-test/upload', $edit, t('Submit'));
+    $this->assertResponse(200, 'Received a 200 response for posted test file.');
+    $this->assertNoRaw(t('For security reasons, your upload has been renamed'), 'Found security message.');
+    $this->assertRaw(t('Epic upload FAIL!'), 'Found the failure message.');
+
+    // Check that the correct hooks were called.
+    $this->assertFileHooksCalled(array('validate'));
  }

  /**
@ -2192,6 +2354,25 @@ class FileValidateTest extends FileHookTestCase {
    $this->assertEqual(file_validate($file, $failing), array('Failed', 'Badly', 'Epic fail'), 'Validating returns errors.');
    $this->assertFileHooksCalled(array('validate'));
  }
+
+  /**
+   * Tests hard-coded security check in file_validate().
+   */
+  public function testInsecureExtensions() {
+    $file = $this->createFile('test.php', 'Invalid PHP');
+
+    // Test that file_validate() will check for insecure extensions by default.
+    $errors = file_validate($file, array());
+    $this->assertEqual('For security reasons, your upload has been rejected.', $errors[0]);
+    $this->assertFileHooksCalled(array('validate'));
+    file_test_reset();
+
+    // Test that the 'allow_insecure_uploads' is respected.
+    variable_set('allow_insecure_uploads', 1);
+    $errors = file_validate($file, array());
+    $this->assertEqual(array(), $errors);
+    $this->assertFileHooksCalled(array('validate'));
+  }
 }

 /**
@ -2561,7 +2742,7 @@ class FileNameMungingTest extends FileTestCase {

  function setUp() {
    parent::setUp();
-    $this->bad_extension = 'php';
+    $this->bad_extension = 'foo';
    $this->name = $this->randomName() . '.' . $this->bad_extension . '.txt';
    $this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt';
  }
@ -2610,6 +2791,18 @@ class FileNameMungingTest extends FileTestCase {
    $this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
  }

+  /**
+   * Tests unsafe extensions are munged by file_munge_filename().
+   */
+  public function testMungeUnsafe() {
+    $prefix = $this->randomName();
+    $name = "$prefix.php.txt";
+    // Put the php extension in the allowed list, but since it is in the unsafe
+    // extension list, it should still be munged.
+    $munged_name = file_munge_filename($name, 'php txt');
+    $this->assertIdentical($munged_name, "$prefix.php_.txt", format_string('The filename (%munged) has been modified from the original (%original) if the allowed extension is also on the unsafe list.', array('%munged' => $munged_name, '%original' => $name)));
+  }
+
  /**
   * Ensure that unmunge gets your name back.
   */
--- a/frontend/drupal/modules/simpletest/tests/file_test.info
+++ b/frontend/drupal/modules/simpletest/tests/file_test.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = file_test.module
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/file_test.module
+++ b/frontend/drupal/modules/simpletest/tests/file_test.module
@ -76,9 +76,13 @@ function _file_test_form($form, &$form_state) {
  );

  $form['allow_all_extensions'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Allow all extensions?'),
-    '#default_value' => FALSE,
+    '#type' => 'radios',
+    '#options' => array(
+      'false' => 'No',
+      'empty_array' => 'Empty array',
+      'empty_string' => 'Empty string',
+    ),
+    '#default_value' => 'false',
  );

  $form['is_image_file'] = array(
@ -114,9 +118,13 @@ function _file_test_form_submit(&$form, &$form_state) {
    $validators['file_validate_is_image'] = array();
  }

-  if ($form_state['values']['allow_all_extensions']) {
+  $allow = $form_state['values']['allow_all_extensions'];
+  if ($allow === 'empty_array') {
    $validators['file_validate_extensions'] = array();
  }
+  elseif ($allow === 'empty_string') {
+    $validators['file_validate_extensions'] = array('');
+  }
  elseif (!empty($form_state['values']['extensions'])) {
    $validators['file_validate_extensions'] = array($form_state['values']['extensions']);
  }
--- a/frontend/drupal/modules/simpletest/tests/filter_test.info
+++ b/frontend/drupal/modules/simpletest/tests/filter_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/form_test.info
+++ b/frontend/drupal/modules/simpletest/tests/form_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/image_test.info
+++ b/frontend/drupal/modules/simpletest/tests/image_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/menu_test.info
+++ b/frontend/drupal/modules/simpletest/tests/menu_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/module_test.info
+++ b/frontend/drupal/modules/simpletest/tests/module_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/path_test.info
+++ b/frontend/drupal/modules/simpletest/tests/path_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/psr_0_test/psr_0_test.info
+++ b/frontend/drupal/modules/simpletest/tests/psr_0_test/psr_0_test.info
@ -5,7 +5,7 @@ core = 7.x
 hidden = TRUE
 package = Testing

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/psr_4_test/psr_4_test.info
+++ b/frontend/drupal/modules/simpletest/tests/psr_4_test/psr_4_test.info
@ -5,7 +5,7 @@ core = 7.x
 hidden = TRUE
 package = Testing

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/requirements1_test.info
+++ b/frontend/drupal/modules/simpletest/tests/requirements1_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/requirements2_test.info
+++ b/frontend/drupal/modules/simpletest/tests/requirements2_test.info
@ -7,7 +7,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/session_test.info
+++ b/frontend/drupal/modules/simpletest/tests/session_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_dependencies_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_dependencies_test.info
@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = _missing_dependency

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info
@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = system_incompatible_core_version_test

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_incompatible_core_version_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_incompatible_core_version_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 5.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info
@ -7,7 +7,7 @@ hidden = TRUE
 ; system_incompatible_module_version_test declares version 1.0
 dependencies[] = system_incompatible_module_version_test (>2.0)

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_incompatible_module_version_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_incompatible_module_version_test.info
@ -5,7 +5,7 @@ version = 1.0
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_project_namespace_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_project_namespace_test.info
@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = drupal:filter

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/system_test.info
+++ b/frontend/drupal/modules/simpletest/tests/system_test.info
@ -6,7 +6,7 @@ core = 7.x
 files[] = system_test.module
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/taxonomy_test.info
+++ b/frontend/drupal/modules/simpletest/tests/taxonomy_test.info
@ -6,7 +6,7 @@ core = 7.x
 hidden = TRUE
 dependencies[] = taxonomy

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/theme_test.info
+++ b/frontend/drupal/modules/simpletest/tests/theme_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info
+++ b/frontend/drupal/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info
@ -6,7 +6,7 @@ hidden = TRUE
 settings[basetheme_only] = base theme value
 settings[subtheme_override] = base theme value

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info
+++ b/frontend/drupal/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info
@ -6,7 +6,7 @@ hidden = TRUE

 settings[subtheme_override] = subtheme value

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/themes/test_theme/test_theme.info
+++ b/frontend/drupal/modules/simpletest/tests/themes/test_theme/test_theme.info
@ -17,7 +17,7 @@ stylesheets[all][] = system.base.css

 settings[theme_test_setting] = default value

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/themes/test_theme_nyan_cat/test_theme_nyan_cat.info
+++ b/frontend/drupal/modules/simpletest/tests/themes/test_theme_nyan_cat/test_theme_nyan_cat.info
@ -4,7 +4,7 @@ core = 7.x
 hidden = TRUE
 engine = nyan_cat

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/update_script_test.info
+++ b/frontend/drupal/modules/simpletest/tests/update_script_test.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/frontend/drupal/modules/simpletest/tests/update_test_1.info
+++ b/frontend/drupal/modules/simpletest/tests/update_test_1.info
@ -5,7 +5,7 @@ version = VERSION
 core = 7.x
 hidden = TRUE

-; Information added by Drupal.org packaging script on 2020-09-16
-version = "7.73"
+; Information added by Drupal.org packaging script on 2020-11-26
+version = "7.75"
 project = "drupal"
-datestamp = "1600272641"
+datestamp = "1606357834"
--- a/Show More
+++ b/Show More