The simple truth is that the config options "$g_allowed_files" and "$g_disallowed_files" operate
on extensions, whereas file uploads (drop, rest) use the content mime type.
So for example with '$g_disallowed_files = "pdf";' any upload of ".pdf" errors out, but ".pdf.fake" succeeds
and happily displays the fake pdf(!) on demand later on.
-> Check paths for arbitrary code executions/injections.