Security: block direct upload access, fix view-doc path traversal guard

- uploads/.htaccess: deny all direct web access to uploaded customer docs
- admin/view-doc.php: add realpath() path-traversal check (mirrors view-doc.php)
- admin/view-doc.php: remove dead double-query (result was always overwritten)
- .gitignore: uploads/* wildcard so .htaccess can be tracked
This commit is contained in:
2026-06-13 14:20:41 +00:00
parent 5e2d0da230
commit bb21fca399
3 changed files with 25 additions and 7 deletions
+2 -1
View File
@@ -2,4 +2,5 @@
.DS_Store
*.swp
uploads/
uploads/*
!uploads/.htaccess