Description:
------------
With the pathinfo function a script can check a file extension. However the interpretation of "file extension" differs from common webserver behavior (tested on apache) on a file that only consists of a dot and an extension (e.g. .jpg).

This can lead to a Cross Site Scripting vulnerability. Imagine the following situation:
A web page allows users to upload files, but it only allows them to upload jpg files. To validate that the script will call pathinfo (e.g. "pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION)") and compare it to jpg and will reject the upload otherwise.
These should be safe, as a web server will serve all *.jpg files with an image/jpeg mime type. However a .jpg file will bypass that check and the webserver will deliver it (depending on its configuration) either without a mime type or with an autodetected mimetype. Both lead to XSS.

I put a small example script below that exposes this behavior.

I haven't yet found a real world example of this, but this looks like a problematic behavior that can easily lead to XSS unless a developer is very familiar with the subtleties of web servers and pathinfo. I recommend that PHP pathinfo() interprets a .jpg file as a file named ".jpg" without an extension.

Test script:
---------------
<?php
if (array_key_exists("upload", $_FILES)) {
    if (pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION) != 'jpg') {
        die("Only jpg allowed");
    }
    move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['name']);
    echo "Upload succeeded!<br>";
}
?>       
<form action="." enctype="multipart/form-data" method="POST">
<input type="file" name="upload" accept=".jpg"><br>
<input type="submit" value="Upload jpg">
</form>