This is a suggestion regarding security. I assume this is the correct place to post it; otherwise, I can start a new topic.

Please implement proper file content filtering in Wakaba/Kareha. As of right now, Wakaba filters out forbidden file types through an array of forbidden extensions, but this is not necessarily sufficient. For example, a PHP file may be uploaded with extension ".php.7z." If a board allows the 7z extension and if the file is not renamed (as is default in the case of Wakaba), an Apache server may in fact still execute it, resulting in the execution of malicious code. This has actually caused a significant disturbance in a site with which I help out. A simple two-line patch that relies on the UNIX file() utility has been written to address this for the moment.