To Charlie's point, there could be a case where a file can be executable on a web server without an extension, in Apache you can setup a ScriptAlias which points to an entire director for stuff like cgi-bin. It is a bit of a stretch, and you could argue that if your upload code allows uploads into a cgi-bin then it probably doesn't matter what the file extension is. I think it would be good to retain some way of blocking extensionless uploads either with another setting, or by an empty string in the extension list, eg: cfm,,cfml,etc or maybe a special keyword, eg: no-extension in the extension list.
... View more