mirror of
https://github.com/myronblair/parkerslingshotrentals
synced 2026-06-30 17:50:31 -05:00
Security: block direct upload access, fix view-doc path traversal guard
- uploads/.htaccess: deny all direct web access to uploaded customer docs - admin/view-doc.php: add realpath() path-traversal check (mirrors view-doc.php) - admin/view-doc.php: remove dead double-query (result was always overwritten) - .gitignore: uploads/* wildcard so .htaccess can be tracked
This commit is contained in:
@@ -0,0 +1,8 @@
|
||||
# Block direct web access — documents served only through admin/view-doc.php
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all denied
|
||||
</IfModule>
|
||||
<IfModule !mod_authz_core.c>
|
||||
Order deny,allow
|
||||
Deny from all
|
||||
</IfModule>
|
||||
Reference in New Issue
Block a user