As pointed out by /u/throwaway, there was an XSS hole and a flaw allowing uploading and execution of PHP files.
Now, "<" and ">" characters are blocked in file-names & get requests, and the endings to some file-types (which are often used for executables) are replaced with "inv"-- including "php", "cl", "lisp", and "pl".
I'll probably make the latter blocks configurable, since peoples' configurations of HTTP servers varies.
Big shout-out and thanks to /u/throwaway, who uses a throwaway account, probably! What a good fellow. :)
EDIT: No private data (including who uploaded what) was accessed when this security problem existed-- that data isn't stored in the first place. Worst-case scenario, the list and time-stamps of uploaded files were seen. I've just set up an automatic job to change the time-stamps of every file once an hour, so that even that information will be useless. =w=