If the allow_insecure_uploads variable evaluates to true, the file should come out untouched, no matter how evil the filename.
function testMungeIgnoreInsecure() {
variable_set('allow_insecure_uploads', 1);
$munged_name = file_munge_filename($this->name, '');
$this
->assertIdentical($munged_name, $this->name, format_string('The original filename (%original) matches the munged filename (%munged) when insecure uploads are enabled.', array(
'%munged' => $munged_name,
'%original' => $this->name,
)));
}