Security: block direct upload access, fix view-doc path traversal guard

- uploads/.htaccess: deny all direct web access to uploaded customer docs
- admin/view-doc.php: add realpath() path-traversal check (mirrors view-doc.php)
- admin/view-doc.php: remove dead double-query (result was always overwritten)
- .gitignore: uploads/* wildcard so .htaccess can be tracked
This commit is contained in:
2026-06-13 14:20:41 +00:00
parent 5e2d0da230
commit bb21fca399
3 changed files with 25 additions and 7 deletions
+8
View File
@@ -0,0 +1,8 @@
# Block direct web access — documents served only through admin/view-doc.php
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>