Drupal RCE via file upload (abc.html.txt, filename.php.gif)

The vulnerability also tracked as SA-CORE-2020-012, exists due to improper validation of filenames of files uploaded to Drupal websites.<p>E.g. filename.php.txt or filename.html.gif, without an underscore (_) in the extension.