Steps to reproduce
- Go to Media -> Images
- Create the new image
- Fill required fields
- Select non-image file, for instance, a .php file 1
- Try to publish content
After the first click on publish, page will reload but nothing more happens. There is no error message.
After the second click on Publish, content will be saved without any file.
You should see some validation error on the front-end.
This is not a security issue. Finally, the non-image file won't be saved to the storage directory. It exists in the /tmp directory for the short time only.
1 - probably you need to change filetype setting in your's browser file picker window. See screenshots in the attachment.