Hi, Just to check, at the moment, if I was an evil hacker, and was to run:
curl -F 'file=@example.jpg;filename=../../../example.php' https://example.com/upload/ The $_FILES['file']['name'] would be set to "example.php", where PHP has removed the leading "../../../" (good to see). Does that happen simply because of this IE fix, where it uses _basename() in the PHP source: https://github.com/php/php-src/blob/0b4778c377a5753a0deb9cfc697d4f62acf93a29/main/rfc1867.c#L1144 Craig
