As a result of #1914018: Configuration files under security risk I believe file_scan_directory() need to exclude the config_* folder in all cases. The nomask param need to be extended to remove all config_* folders..
<?php
$options += array(
'nomask'=> '/^CVS$/',
'callback'=> 0,
'recurse'=> TRUE,
'key'=> 'uri',
'min_depth'=> 0,
);
?>