For those that dont know what the ERR03 message is
JLIB_FILESYSTEM_ERROR_WARNFS_ERR03="Warning: File %s not uploaded for security reasons!"

Tested with 3.5.0 beta staging 2015-11-13, PHP 5.6, plg_bt_socialshare_j2.5&j3.x_v2.3.10.zip
and cannot confirm

Thanks. As I mentioned, I was on the current Joomla stable release 3.4.5.
In such a case, should we simply wait for J! 3.5?

I had the same problem when I tried to upload a pdf file using the media manager. I send the file and I did not receive any warning, and the file simply do not upload. I noticed that the error depends on the pdf file uploaded, and it occurs due to the method isSafeFile() (class JFilterInput - libraries/joomla/filter/input.php), called within the method get() of the class JInputFiles (libraries/joomla/input/files.php, line 83).

The task upload(), from the media manager backend controller file.php, calls the method JInputFiles::get() through an object on the line 45 ($this->input->files->get).

Why it occurs? It occurs due to the forbidden extensions scan inside file contents, within the JFilterInput::isSafeFile(), from the line 459. In my case, when I saw the variable $data output (declared on line 467) from my pdf file, I found the string ".py" inside the pdf file code, one of the extensions verified by default, inside file contents. Important: the string was not inside the pdf file text.

I understood the importance of the method JFilterInput::isSafeFile(), but the search of simple extensions inside file content, being confused with the pdf file code, can cause problems that most users will not identify the reason.

I posted here because I think that this issue is related. I will open other issue, if you don't mind.

Reason is a correct bugfix in Joomla 3.4.5. Before this fix some checks while uploading were ignored.
This method should be called with correct parameters by the uploading components.

JFile::upload($src, $dest, $use_streams = false, $allow_unsafe = false, $safeFileOptions = array())

e.g. JCE editor had a similiar issue while uploading addon packages with language files in it named like en-GB.plg_xyz_. They were identified as maybe PERL files (*.pl). Found inside a ZIP file before(!) unpacking it. After setting $allow_unsafe to true the issue was fixed for JCE.

Thanks Bermert. Pargon my ignorance, I'm new to Github.

I'm not understanding. Is a bug confirmed? Is there a fix?

@gilles008
I just wanted to post additional informations to post of @berlanda because me and a friend made some investigations then! No resaon for you to say pardon!

I'm not understanding. Is a bug confirmed? Is there a fix?

I personally don't want to decide if it's a ""bug"" and if core components (and others) should use method upload() less secure by passing other parameters. I think sometimes there are confusing false positives.

As I mentioned, I was on the current Joomla stable release 3.4.5 In such a case, should we simply wait for J! 3.5?

The best way to decide this would be to install 3.5.0 beta on same server and identical settings, PHP and so on as a subdomain and test it. I don't have a J3.4.5 at the moment where I coud test it.

Hi

I am closing this issue as it is over a year old and unfortunately with this type of thing there can always be false positives. However we have had no other reports so its obviously not happening often.