This basically allows a compromised renderer to upload an arbitrary file that Chrome has access to and the attacker knows the path of.  This seems concerning enough that we shouldn't go to Canary until we have some sort of protection in place.