Core doesn't check for proper image file extension

I downloaded 6.x dev, installed on test site. Uploaded jpg file with name "this.is.valid.imagefile". After upload I got message

"For security reasons, your upload has been renamed to this.is_.valid_.imagefile."

Now image file name is "this.is_.valid_.imagefile" and derivative's "this.is_.valid_.thumbnail.imagefile".
So this is bug indeed .

Both versions of Image module call file_save_upload().
5.x version of file_save_upload() uses file_check_upload() which has simple checks.

6.x version of file_save_upload() calls function file_munge_filename() which actually checks against "whitelist" of extensions. However, for some mystical reason, that function only checks "middle" file parts, while silently keeping old extension. Also, file_save_upload() runs so called 'validator' named "file_validate_is_image". That validator actually only checks file content, not file extension ( http://ru2.php.net/manual/en/function.getimagesize.php ).

Also both versions of Image module check filename in separate function _image_filename() - simple check if file has dot in the name (very poor).

So this is is bug in either image module or core. It really depends on what code must check filename extension - contributed module or core. Also it depends on if we allow image files without image extension in Drupal at all ? These file functions are in core - so other contrib project are affected too. There are similar issues such as #376315: Image upload when no file extension present

We have file_validate_extensions() validator but it will just throw error. This is too bad from the point of usability. I vote for the same solution as in #376315: Image upload when no file extension present: if file has missing proper image extension, find it out with image_get_info() and append it automatically, then warn the user that his file was renamed.

Moving this to core, because I think it must be fixed in one place. I see no reason why we should allow image files without image extensions at all. I mean, users can upload all they want, but we need to fix it server-side anyway.
Possible fix for this would be to implement simple extension check in "file_validate_is_image" validator: we already check image type with image_get_info() so we have "true" file extension for free in info array. But in 7.x $file is not passed by reference, unlike it's done in 6.x so we can't rename it right there :(
Anyway, I pass the bug, let core drupal developers decide.

In case i'm wrong, please move this back to image module queue.

So this means that it can be done same way both in 6.x and in 7.x (since 7.x is targeted to php >=5).

If you mark this as feature request it will never be fixed in reasonable timeframe in 5.x and 6.x. This is bug, imo

Setting as bug.