security: fix all HIGH priority items from TODO.SECURITY.md

Items resolved: - #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage). Uploads were previously stored in public/admin/actions/data/ which is web-accessible. - #4 (HIGH): Align file paths and add media.php controller. DB paths are now storage-relative (theses/YEAR/ID/file, covers/file). New public/media.php serves files with path-traversal jail, MIME allow-list, and proper caching headers. memoire.php and search.php updated to use /media.php?path=. Also fixed: cover images were never recorded in thesis_files (broken INSERT). - #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only. HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that allowed unlimited rate-limit bypass by rotating spoofed IPs. - #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf. Apache .htaccess directives are silently ignored by nginx; none were active. CSP added to /admin/ location block, .log file denial added globally, autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md. Supporting changes: - config/bootstrap.php: add STORAGE_ROOT constant - nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP - docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated
2026-05-07 03:29:19 +02:00 · 2026-02-08 14:01:33 +01:00
parent f5d3281c43
commit a2b1ff5f41
10 changed files with 203 additions and 50 deletions
--- a/public/memoire.php
+++ b/public/memoire.php
@@ -125,16 +125,16 @@ include APP_ROOT . '/includes/header.php'; ?>
                    <div class="block">
                        <?php if ($ext === 'pdf'): ?>
                            <!-- Display PDF files using the embed element -->
-                            <embed src="<?= htmlspecialchars($file['file_path']); ?>" type="application/pdf" width="100%" height="600px" />
+                            <embed src="/media.php?path=<?= urlencode($file['file_path']); ?>" type="application/pdf" width="100%" height="600px" />
                        <?php elseif (in_array($ext, ['jpg', 'jpeg', 'png', 'gif', 'bmp'])): ?>
                            <!-- Display image files using the img element -->
                            <figure>
-                                <img src="<?= htmlspecialchars($file['file_path']); ?>" alt="<?= htmlspecialchars($file['file_name']); ?>">
+                                <img src="/media.php?path=<?= urlencode($file['file_path']); ?>" alt="<?= htmlspecialchars($file['file_name']); ?>">
                            </figure>
                        <?php elseif ($ext === 'mp4'): ?>
                            <!-- Display MP4 video files using the video element -->
                            <video width="100%" height="auto" controls>
-                                <source src="<?= htmlspecialchars($file['file_path']); ?>" type="video/mp4">
+                                <source src="/media.php?path=<?= urlencode($file['file_path']); ?>" type="video/mp4">
                                Your browser does not support the video tag.
                            </video>
                        <?php endif; ?>