Programmers make assumptions all the time, often intentional but just as often unconscious.
Many of these assumptions involve extending trust to other parties, such as the user, the software distribution medium, the execution environment, the development environment, and many, many others.
A thorough examination of trust management issues in software security could easily constitute a multivolume work by itself, and there is a lot of related research underway.
For a good general introduction to the subject, consult  and Chapter 13 of .
To handle the upload safely, you need to save it to a randomly-named temp file, and then validate and possibly transcode it to a standardized set of options.