Hi Stas,
On Wed, Feb 25, 2015 at 7:31 AM, Stanislav Malyshev <smalys...@gmail.com>
wrote:
> > I think he means matching file "extension". File extension should
> > represent file type, though.
>
> You can not rely on that. I can name files anything regardless of what's
> in the file.
>
> > Since "pwnd.php" has ".php" extension, move_uploaded_file() refuses to
> > move it
> > to upload dir by default.
>
> There's no pwnd.php. The file that I upload is "cuteponies.gif". Please
> look at the sequence again carefully.
require('cuteponies.gif) wouldn't work with this RFC.
move_uploaded_files() prohibits uploading PHP script.
I noticed that I should forbid destination file extension also by this
discussion.
I'll add it soon. Thank you.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
