There was a problem hiding this comment. Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Hide comment I’m afraid this change is wrong. file_exists() is not the only method vulnerable for this kind of attack. It is also the getimagesize() call in line 6856, which can now be exploited again due to your deletions of lines 6848 to 6856 (my fix from #94).