diff -urp drupal/includes/file.inc drupalnew/includes/file.inc
--- drupal/includes/file.inc	2010-05-18 19:33:32.000000000 -0400
+++ drupalnew/includes/file.inc	2010-05-18 19:38:28.000000000 -0400
@@ -1167,28 +1167,24 @@ function file_save_upload($source, $vali
       return FALSE;
   }
 
-  // Build the list of non-munged extensions.
-  // @todo: this should not be here. we need to figure out the right place.
-  $extensions = '';
-  foreach ($user->roles as $rid => $name) {
-    $extensions .= ' ' . variable_get("upload_extensions_$rid",
-    variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
-  }
-
   // Begin building file object.
   $file = new stdClass();
   $file->uid      = $user->uid;
   $file->status   = 0;
-  $file->filename = file_munge_filename(trim(basename($_FILES['files']['name'][$source]), '.'), $extensions);
+  $file->filename = trim(basename($_FILES['files']['name'][$source]));
   $file->uri      = $_FILES['files']['tmp_name'][$source];
   $file->filemime = file_get_mimetype($file->filename);
   $file->filesize = $_FILES['files']['size'][$source];
 
-  // Rename potentially executable files, to help prevent exploits.
-  if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
-    $file->filemime = 'text/plain';
-    $file->uri .= '.txt';
-    $file->filename .= '.txt';
+  // Content types may allow all extensions in which case the
+  // extension validator won't exist in the validators array.
+  if (!in_array('file_validate_extensions', array_keys($validators)) && !variable_get('allow_insecure_uploads', 0)) {
+    // Rename potentially executable files, to help prevent exploits.
+    if (preg_match('/\.(php|pl|py|cgi|asp|js|exe|htm|html|css)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+      $file->filemime = 'text/plain';
+      $file->uri .= '.txt';
+      $file->filename .= '.txt';
+    }
   }
 
   // If the destination is not provided, use the temporary directory.
diff -urp drupal/modules/update/update.manager.inc drupalnew/modules/update/update.manager.inc
--- drupal/modules/update/update.manager.inc	2010-05-18 19:33:24.000000000 -0400
+++ drupalnew/modules/update/update.manager.inc	2010-05-18 19:38:00.000000000 -0400
@@ -488,7 +488,7 @@ function update_manager_install_form($fo
   $form['project_upload'] = array(
     '#type' => 'file',
     '#title' => t('Upload a module or theme archive to install'),
-    '#description' => t('For example: %filename from your local computer', array('%filename' => 'name.tar.gz')),
+    '#description' => t('For example: %filename from your local computer<br/>Note: archive file must be less than %size', array('%filename' => 'name.tar.gz', '%size' => format_size(parse_size(file_upload_max_size())))),
   );
 
   $form['actions'] = array('#type' => 'actions');
@@ -541,9 +541,25 @@ function update_manager_install_form_sub
   }
   elseif ($_FILES['files']['name']['project_upload']) {
     $field = 'project_upload';
-    // @todo: add some validators here.
-    $finfo = file_save_upload($field, array(), NULL, FILE_EXISTS_REPLACE);
+    $archive_extensions = '';
+    $archiver_info = archiver_get_info();
+
+    foreach ($archiver_info as $info) {
+      if (!empty($info['extensions'])) {
+        $archive_extensions .= ' ' . implode(' ', $info['extensions']);
+      }
+    }
+
+    $validators = array(
+      'file_validate_extensions' => array($archive_extensions),
+	);	
+
+    $finfo = file_save_upload($field, $validators, NULL, FILE_EXISTS_REPLACE);
     // @todo: find out if the module is already instealled, if so, throw an error.
+    if (!$finfo) {	
+      // file_save_upload() provides the reason for failure.
+      return;
+    }
     $local_cache = $finfo->uri;
   }