Splitting this out from bug 33549 comment 8 and bug 33549 comment 9:
[[commons:File:Deamado ko.png.bmp]] is MIME type: image/x-bmp.
Looking at MediaWiki core's DefaultSettings.php and Wikimedia's CommonSettings.php, I can't figure out how this file type is allowed. Don't we strictly validate file extensions at least? Referring to [[mw:Manual:$wgStrictFileExtensions]], I suppose.
I was able to reproduce an upload of this file type on Commons via [[commons:Special:Upload]] a few minutes ago by simply disabling JavaScript in my browser (the file selection input has some associated JavaScript validation logic).
(In reply, Bawolff (Brian Wolff) from bug 33549 comment 10)
Umm yeah, that shouldnt be allowed.
Version: 1.23.0
Severity: normal