It is now a requirement for attachments to do one of three things:
1. Have a content_type validation (e.g. "image/*")
2. Have a filename validation (e.g. *.png, *.gif)
3. Explicitly *not* have one of those validations
The intent is to make the default more secure, and you have to
explicitly reject the security of a validation in order to not have one.
