parse-server: Security bypass in file upload extension blocklist fixed

A security bypass in the default file upload extension blocklist was fixed. Previously, appending a trailing dot to a blocked extension (e.g., 'poc.svg.') bypassed the blocklist, allowing stored XSS via attacker-controlled Content-Type. Now, filenames ending in a dot are treated as extensionless, and the Content-Type subtype is validated against the blocklist.

All parse-server instances using default file upload blocklist with storage adapters that persist and serve Content-Type (e.g., S3, GCS). GridFS adapter is not affected.

Update parse-server to the patched version. If unable to update, configure storage adapter or CDN to derive Content-Type from filename extension, or replace blocklist with an explicit allowlist.