A bug got reported elsewhere and should be fixed before a new official release:

Noticed that I could upload .ttf files. Eventually figured out that this wasn't how it works with sIFR but was alarmed that I could upload all kinds of stuff with this module.

I uploaded .dat files (which weren't changed). Fortunately the .js & .php files were renamed:

For security reasons, your upload has been renamed to js_bac3196cd6469ac617720979ae584ff6.js_.txt.

However, seems like there aren't enough file restrictions and that this is a possible security flaw.

This font/asset file uploading form is only available to users having the "administer site configuration" permission; i.e., super-admins only.

The existing form validation handler already contains a @todo to check the uploaded file in terms of render plugins.