Just applied Drupal 7.20 this morning and immediately noticed an issue. Some of our derived images are getting Access Denied. I walked through what's happening and in the generation of the token the uri is taken from the file_managed table, where these images have uris such as "public:///imagefield_fS5HL8.png" while in the request the uri is reverse engineered to be "public://imagefield_fS5HL8.png" without the extra slash. Thus the token values do not match.
These images are uploaded to the root of the public files directory, while others that work OK are in subdirectories. So somewhere in the file module I think the uri is being generated incorrectly.
I am applying the workaround flag for now, and will also ensure that all file fields are configured with a subdirectory for better manageability, but i can't be the only person to be bitten by this one.
FAILED: [[SimpleTest]]: [MySQL] 39,993 pass(es), 5 fail(s), and 1 exception(s).
PASSED: [[SimpleTest]]: [MySQL] 39,986 pass(es).
PASSED: [[SimpleTest]]: [MySQL] 39,752 pass(es).
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch drupal-broken_file_uris-1923554-11-D7.patch. Unable to apply patch. See the log in the details link for more information.
PASSED: [[SimpleTest]]: [MySQL] 40,001 pass(es).