diff -urp ./includes/file.inc ../drupalnew/includes/file.inc
--- ./includes/file.inc	2010-05-21 09:53:32.000000000 -0400
+++ ../drupalnew/includes/file.inc	2010-05-21 13:29:15.000000000 -0400
@@ -1167,28 +1167,36 @@ function file_save_upload($source, $vali
       return FALSE;
   }
 
-  // Build the list of non-munged extensions.
-  // @todo: this should not be here. we need to figure out the right place.
-  $extensions = '';
-  foreach ($user->roles as $rid => $name) {
-    $extensions .= ' ' . variable_get("upload_extensions_$rid",
-    variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
+  // File extension validation is required for security purposes.
+  if (!isset($validators['file_validate_extensions'])) {
+    // Fallback to a safe list of extensions if the caller didn't pass them in.
+    $validators['file_validate_extensions'] = array('jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp');
   }
 
+  // Build the list of non-munged extensions.
+  $extensions = $validators['file_validate_extensions'][0];
+
   // Begin building file object.
   $file = new stdClass();
   $file->uid      = $user->uid;
   $file->status   = 0;
+  // Munging is required to protect against possible malicious extension hiding
+  // within an unknown file type. ie: filename.php.foo
   $file->filename = file_munge_filename(trim(basename($_FILES['files']['name'][$source]), '.'), $extensions);
   $file->uri      = $_FILES['files']['tmp_name'][$source];
   $file->filemime = file_get_mimetype($file->filename);
   $file->filesize = $_FILES['files']['size'][$source];
 
-  // Rename potentially executable files, to help prevent exploits.
-  if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+  // Rename potentially executable files, to help prevent exploits. Don't
+  // rename if 'allow_insecure_uploads' evaluates to TRUE.
+  if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
     $file->filemime = 'text/plain';
     $file->uri .= '.txt';
     $file->filename .= '.txt';
+    // The .txt extension may not be in the allowed list of extensions. We have
+    // to add it here or else the file upload will fail.
+    $validators['file_validate_extensions'][0] .= ' txt';
+    drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
   }
 
   // If the destination is not provided, use the temporary directory.
diff -urp ./modules/file/file.field.inc ../drupalnew/modules/file/file.field.inc
--- ./modules/file/file.field.inc	2010-05-21 09:53:32.000000000 -0400
+++ ../drupalnew/modules/file/file.field.inc	2010-05-21 12:51:00.000000000 -0400
@@ -122,9 +122,10 @@ function file_field_instance_settings_fo
     '#type' => 'textfield',
     '#title' => t('Allowed file extensions'),
     '#default_value' => $extensions,
-    '#description' => t('Separate extensions with a space or comma and do not include the leading dot. Leaving this blank will allow users to upload a file with any extension.'),
+    '#description' => t('Separate extensions with a space or comma and do not include the leading dot.'),
     '#element_validate' => array('_file_generic_settings_extensions'),
     '#weight' => 1,
+    '#required' => TRUE,
   );
 
   $form['max_filesize'] = array(
@@ -545,7 +546,6 @@ function file_field_widget_upload_valida
   // There is always a file size limit due to the PHP server limit.
   $validators['file_validate_size'] = array($max_filesize);
 
-  // Add the extension check if necessary.
   if (!empty($instance['settings']['file_extensions'])) {
     $validators['file_validate_extensions'] = array($instance['settings']['file_extensions']);
   }