diff --git a/admin/view-doc.php b/admin/view-doc.php index 4ff155f..f5b7786 100644 --- a/admin/view-doc.php +++ b/admin/view-doc.php @@ -29,17 +29,17 @@ if (!$row || !$row['file_path']) { exit('No document on file.'); } -$base = realpath(dirname(__DIR__) . '/uploads'); -$path = realpath(dirname(__DIR__) . '/' . $row['file_path']); +$root = dirname(__DIR__); +$base = realpath($root . '/uploads'); +$path = realpath($root . '/' . $row['file_path']); -if (!$path || !$base || strpos($path, $base . DIRECTORY_SEPARATOR) !== 0) { +if (!$path || !$base || !str_starts_with($path, $base . DIRECTORY_SEPARATOR)) { http_response_code(404); header('Content-Type: text/plain'); exit('File not found.'); } -$finfo = new finfo(FILEINFO_MIME_TYPE); -$mime = $finfo->file($path); +$mime = mime_content_type($path); $allowed = ['image/jpeg' => 'jpg', 'image/png' => 'png', 'application/pdf' => 'pdf']; if (!isset($allowed[$mime])) { http_response_code(403);