fix: harden uploaded file handling

[gr8man]

No description provided.

[mergeable]

Hi there, gr8man! 👋

Thank you for sending this PR!

We expect the following in all Pull Requests (PRs).

• PRs must be sent to the appropriate branch
• All git commits must be GPG-signed
• Must follow our style guide
• Be commented in the PHP source file
• Be documented in the user guide
• Be unit tested
• Pass all checks in GitHub Actions

Important

We expect all code changes or bug-fixes to be accompanied by one or more tests added to our test suite to prove the code works.

If pull requests do not comply with the above, they will likely be closed. Since we are a team of volunteers, we don't have any more time to work
on the framework than you do. Please make it as painless for your contributions to be included as possible.

See https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/pull_request.md

Sincerely, the mergeable bot 🤖

[michalsn]

Thanks for the report. This appears to be security-sensitive, so we are moving handling to our private security process. Please avoid adding further technical details here.

For future security-related reports, please follow our security policy:
https://github.com/codeigniter4/CodeIgniter4?tab=security-ov-file