It is now a requirement for attachments to do one of three things:
  1. Have a content_type validation (e.g. "image/*")
  2. Have a filename validation (e.g. *.png, *.gif)
  3. Explicitly *not* have one of those validations

The intent is to make the default more secure, and you have to
explicitly reject the security of a validation in order to not have one.