>>472the default is to not allow any files except jpg, png, or gif images (and rename them). it's possible to make it insecure by configuring it improperly, but it's certainly not the default.