Index: includes/file.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/file.inc,v
retrieving revision 1.192
diff -u -r1.192 file.inc
--- includes/file.inc	30 Sep 2009 18:36:01 -0000	1.192
+++ includes/file.inc	8 Oct 2009 18:08:29 -0000
@@ -796,18 +796,24 @@
 }
 
 /**
- * Munge the filename as needed for security purposes.
+ * Modify a filename as needed for security purposes.
  *
- * For instance the file name "exploit.php.pps" would become "exploit.php_.pps".
+ * Dangerous file names will be altered; for instance, the file name
+ * "exploit.php.pps" will become "exploit.php_.pps". All extensions that are
+ * between 2 and 5 characters in length, internal to the file name, and not
+ * included in $extensions will be altered by adding an underscore. If variable
+ * 'allow_insecure_uploads' evaluates to TRUE, no alterations will be made.
  *
  * @param $filename
- *   The name of a file to modify.
+ *   File name to modify.
  * @param $extensions
- *   A space separated list of extensions that should not be altered.
+ *   A space-separated list of extensions that should not be altered.
  * @param $alerts
- *   Whether alerts (watchdog, drupal_set_message()) should be displayed.
+ *   If TRUE, drupal_set_message() will be called to display a message if the
+ *   file name was changed.
+ *
  * @return
- *   $filename The potentially modified $filename.
+ *   The potentially modified $filename.
  */
 function file_munge_filename($filename, $extensions, $alerts = TRUE) {
   $original = $filename;