If the system.file.allow_insecure_uploads setting evaluates to true, the file should come out untouched, no matter how evil the filename.
function testMungeIgnoreInsecure() {
config('system.file')
->set('allow_insecure_uploads', 1)
->save();
$munged_name = file_munge_filename($this->name, '');
$this
->assertIdentical($munged_name, $this->name, format_string('The original filename (%original) matches the munged filename (%munged) when insecure uploads are enabled.', array(
'%munged' => $munged_name,
'%original' => $this->name,
)));
}