diff -urp ./includes/file.inc ../drupalnew/includes/file.inc
--- ./includes/file.inc	2010-05-21 09:53:32.000000000 -0400
+++ ../drupalnew/includes/file.inc	2010-05-22 13:55:04.000000000 -0400
@@ -1167,28 +1167,44 @@ function file_save_upload($source, $vali
       return FALSE;
   }
 
-  // Build the list of non-munged extensions.
-  // @todo: this should not be here. we need to figure out the right place.
-  $extensions = '';
-  foreach ($user->roles as $rid => $name) {
-    $extensions .= ' ' . variable_get("upload_extensions_$rid",
-    variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp'));
-  }
-
   // Begin building file object.
   $file = new stdClass();
   $file->uid      = $user->uid;
   $file->status   = 0;
-  $file->filename = file_munge_filename(trim(basename($_FILES['files']['name'][$source]), '.'), $extensions);
+  $file->filename = trim(basename($_FILES['files']['name'][$source]), '.');
   $file->uri      = $_FILES['files']['tmp_name'][$source];
   $file->filemime = file_get_mimetype($file->filename);
   $file->filesize = $_FILES['files']['size'][$source];
 
-  // Rename potentially executable files, to help prevent exploits.
-  if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
+  $extensions = '';
+  if (isset($validators['file_validate_extensions'])) {
+    // Build the list of non-munged extensions if the caller provided them.
+    $extensions = $validators['file_validate_extensions'][0];
+  }
+
+  // File munging must only happen when the caller provides a list of allowed
+  // extensions. Otherwise, we may break file upload operations that want to
+  // allow any extension.
+  if (!empty($extensions)) {
+    // Munge the filename to protect against possible malicious extension hiding
+    // within an unknown file type (ie: filename.html.foo).
+    $file->filename = file_munge_filename($file->filename, $extensions);
+  }
+
+  // Rename potentially executable files, to help prevent exploits (ie: will
+  // rename filename.php.foo and filename.php to filename.php.foo.txt and
+  // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
+  // evaluates to TRUE.
+  if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {
     $file->filemime = 'text/plain';
     $file->uri .= '.txt';
     $file->filename .= '.txt';
+    // The .txt extension may not be in the allowed list of extensions. We have
+    // to add it here or else the file upload will fail.
+    if (!empty($extensions)) {
+      $validators['file_validate_extensions'][0] .= ' txt';
+      drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));
+    }
   }
 
   // If the destination is not provided, use the temporary directory.
diff -urp ./modules/file/file.field.inc ../drupalnew/modules/file/file.field.inc
--- ./modules/file/file.field.inc	2010-05-21 09:53:32.000000000 -0400
+++ ../drupalnew/modules/file/file.field.inc	2010-05-22 13:55:21.000000000 -0400
@@ -122,9 +122,10 @@ function file_field_instance_settings_fo
     '#type' => 'textfield',
     '#title' => t('Allowed file extensions'),
     '#default_value' => $extensions,
-    '#description' => t('Separate extensions with a space or comma and do not include the leading dot. Leaving this blank will allow users to upload a file with any extension.'),
+    '#description' => t('Separate extensions with a space or comma and do not include the leading dot.'),
     '#element_validate' => array('_file_generic_settings_extensions'),
     '#weight' => 1,
+    '#required' => TRUE,
   );
 
   $form['max_filesize'] = array(
@@ -544,11 +545,7 @@ function file_field_widget_upload_valida
 
   // There is always a file size limit due to the PHP server limit.
   $validators['file_validate_size'] = array($max_filesize);
-
-  // Add the extension check if necessary.
-  if (!empty($instance['settings']['file_extensions'])) {
-    $validators['file_validate_extensions'] = array($instance['settings']['file_extensions']);
-  }
+  $validators['file_validate_extensions'] = array($instance['settings']['file_extensions']);
 
   return $validators;
 }