UploadBase::detectScript() is executed for partially uploaded files (verifyPartialFile()), not only complete ones (verifyFile()). However, it expects to only work with complete files (e.g. it checks the first two bytes to determine UTF-16 endianness, and some other checks).
This means that the checks meant to run only on first 1 KB of the file, or first 256 KB, etc., in fact run for the first x KB of every uploaded chunk, accidentally checking things in the middle of large files.
Here's an example file that falsely fails with 'uploadscripted' when every 5 MB chunk is checked, but passes when uploaded in one large chunk:
(~25 MB TIFF file, source). The easiest way to reproduce is to try uploading the file with UploadWizard, which uses 5 MB chunked uploads. The cause is the presence of the string '<PrE' at offset 10332876 within the file.Even if an individual chunk of a file was nefarious, only the uploader is able to access stashed uploads (including chunked ones), so allowing them is not a security vulnerability.
Note that this is not a security issue – it can only cause false positives (file upload prevented for good files), never false negatives (file upload allowed for bad files). I am tagging Security since it's security-relevant code, and because I would like the explanation above and the patch carefully reviewed from the security perspective.
(Originally reported at https://commons.wikimedia.org/wiki/Commons:Upload_help#.22Internal_error:_Server_failed_to_store_temporary_file..22_.28uploadscripted.29.)