How to safely allow upload of executable files

The most common solution for this kind of issue is to make sure the stored file is not accessible by the web server.

One simple way to do this is is to store the file in a database and never save it to the disk. You need to be careful not to create some kind of XSS though: do not allow the file to be linked to directly or, ideally, downloaded. If you need the file to be made available through your web interface, use the "attachment" content-disposition header to make sure the browser will not attempt to interpret the file.

Use a sane framework which includes proper URL routing. Instead of the web server directing requests to executable files depending on the URL, it redirects all requests to the framework's entry point and lets it handle the request, usually based on a route to controller mapping.

This means any uploaded file is safe as there should be no way for it to get executed.