diff -Naur php-4.3.8/main/rfc1867.c php-4.3.8-fix/main/rfc1867.c
--- php-4.3.8/main/rfc1867.c	2004-12-23 08:16:16.000000000 +0200
+++ php-4.3.8-fix/main/rfc1867.c	2004-12-23 08:15:32.000000000 +0200
@@ -760,7 +760,7 @@
 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 {
 	char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;
-	char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL;
+	char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL, *tmp=NULL;
 	int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0, max_file_size=0, skip_upload=0;
 	zval *http_post_files=NULL; HashTable *uploaded_files=NULL;
 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
@@ -928,6 +928,30 @@
 
 			total_bytes = cancel_upload = 0;
 
+			/* New Rule: never repair potential malicious user input */
+			if (!skip_upload) {
+				long c = 0;
+				
+				tmp = param;
+
+				while (*tmp) {
+					if (*tmp == '[') {
+						c++;
+					} else if (*tmp == ']') {
+						c--;
+						if (tmp[1] && tmp[1] != '[') {
+							skip_upload = 1;
+							break;
+						}
+					}
+					if (c < 0) {
+						skip_upload = 1;
+						break;
+					}
+					tmp++;				
+				}
+			}
+  
 			if (!skip_upload) {
 				/* Handle file */
 				fp = php_open_temporary_file(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
@@ -996,10 +1020,6 @@
 			 * start_arr is set to point to 1st [
 			 */
 			is_arr_upload =	(start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
-			/* handle unterminated [ */
-			if (!is_arr_upload && start_arr) {
-				*start_arr = '_';
-			}
 
 			if (is_arr_upload) {
 				array_len = strlen(start_arr);