Validates secrets provided to FileUploader in order to prevent
directory traversal attacks. We generate 32-byte hexadecimal secrets
now and 10-byte hexadecimal secrets in the past, so these are the only
two valid formats permitted.

Also adds a test that proves the exploit works without the change, and
a test that proves the change resolves the exploit.