* Bryan Tong Minh <[email protected]> [Wed, 3 Nov 2010 11:22:26 +0100]: > On Wed, Nov 3, 2010 at 11:14 AM, Dmitriy Sintsov <[email protected]> > wrote: > > In ideal > > world, there probably should be no direct access to $_FILES[] and > usage > > of is_uploaded_file(), but all of these calls should be encapsulated > > into WebRequest class, imo. > > > As off r70037 and follow-ups, this has been possible. > > http://www.mediawiki.org/wiki/Special:Code/MediaWiki/70037 > Ah, I didn't knew that. The customers still mostly run 1.15.x so I am not checking the trunk very often. I should take a look at that new class. Btw, I don't see is_uploaded_file() check against "$_FILES[] injection" in the code, is that secure? Or, perhaps it already was somewhere else. But, FauxRequest would not require it, of course. Dmitriy
_______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
