Off. If you provide the
PHP_SESSION_UPLOAD_PROGRESSin multipart POST data, PHP will enable the session for you.
PHP_SESSION_UPLOAD_PROGRESSyou can control data inside the session, so if you includes your session file you can include a part you control (a php shellcode for example).
session.upload_progress.prefix, our SESSION file will start with a annoying prefix
convert.base64-decodefilters, this is because when base64 decoding PHP will remove the weird characters, so after 3 times only the payload sent by the attacker will remain (and then the attacker can control the initial part).