The "upload.php" file in the "url" parameter contains an internal server side request forgery vulnerability due to an incomplete patch for CVE-2018-14728
This was because it only checks whether the extension was blacklisted or not.
This could be bypassed by requesting a php file and putting "/test.ico" at the end of the url like "index.php/test.ico" because it would than load the "index.php" web page and not "test.ico" by which we bypassed the filter.
This allowed you to create an internal proxy and request a web page within the internal network even though you shouldn't be allowed to reach that.
This vulnerability also exists in 9.14.0 but because a bug was introduced in 9.14.0 no one could upload any file via a url, but the server still sent the request so this still could be used for blind internal server side request forgery, but a copy of that request is stored in the "/tmp/" folder so if you can access the "/tmp/" then you can see the web page.