mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00

Go to file

Théophile Gervreau-Mercier a2b1ff5f41 security: fix all HIGH priority items from TODO.SECURITY.md

Items resolved:
- #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage).
  Uploads were previously stored in public/admin/actions/data/ which is web-accessible.
- #4 (HIGH): Align file paths and add media.php controller.
  DB paths are now storage-relative (theses/YEAR/ID/file, covers/file).
  New public/media.php serves files with path-traversal jail, MIME allow-list,
  and proper caching headers. memoire.php and search.php updated to use /media.php?path=.
  Also fixed: cover images were never recorded in thesis_files (broken INSERT).
- #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only.
  HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that
  allowed unlimited rate-limit bypass by rotating spoofed IPs.
- #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf.
  Apache .htaccess directives are silently ignored by nginx; none were active.
  CSP added to /admin/ location block, .log file denial added globally,
  autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md.

Supporting changes:
- config/bootstrap.php: add STORAGE_ROOT constant
- nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP
- docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated

2026-02-08 14:01:45 +01:00

config

security: fix all HIGH priority items from TODO.SECURITY.md

2026-02-08 14:01:45 +01:00

database

Refactor admin panel and add migration documentation

2026-02-06 12:14:21 +01:00

docs

security: fix all HIGH priority items from TODO.SECURITY.md

2026-02-08 14:01:45 +01:00

includes

dev: add live-reload development server

2026-02-08 11:58:35 +01:00

lib

security: fix all HIGH priority items from TODO.SECURITY.md

2026-02-08 14:01:45 +01:00

nginx

security: fix all HIGH priority items from TODO.SECURITY.md

2026-02-08 14:01:45 +01:00

public

security: fix all HIGH priority items from TODO.SECURITY.md

2026-02-08 14:01:45 +01:00

scripts

Fix admin CSS not loading and quirks mode issues

2026-02-06 13:26:24 +01:00

tests

Major refactor

2026-02-05 20:16:19 +01:00

.gitignore

Fix admin CSS not loading and quirks mode issues

2026-02-06 13:26:24 +01:00

justfile

dev: add live-reload development server

2026-02-08 11:58:35 +01:00

README.md

Mise à jours et création de READMEs dédier.

2026-01-26 15:58:24 +01:00

README.md

PostERG - Monorepo

PostERG est un projet de l'ERG (École de Recherche Graphique) permettant aux étudiant.e.s sortant en cursus de Master de mettre à disposition leurs mémoires et travaux de fin d'études.

Structure du projet

Ce monorepo contient deux applications :

formulaire/ - Formulaire d'ajout de mémoires pour les étudiant.e.s
front-backend/ - Site web public affichant les mémoires soumis

Prérequis

PHP 7.4 ou supérieur
Composer (gestionnaire de dépendances PHP)

Installation de Composer

curl -sS https://getcomposer.org/installer | php

php -r "readfile('https://getcomposer.org/installer');" | php

ou installer le paquet composer de votre distribution.

Installation

Chaque sous-projet a ses propres dépendances. Installez-les séparément :

cd formulaire && composer install
cd ../front-backend && composer install

Lancement en local

Pour chaque application, lancez un serveur PHP :

# Pour le formulaire (port 3000)
cd formulaire && php -S 127.0.0.1:3000

# Pour le site web (port 3001)
cd front-backend && php -S 127.0.0.1:3001

Documentation

Liens

Site web PostERG

Languages

PHP 80.5%

CSS 14.9%

Shell 2.8%

JavaScript 1.3%

Just 0.5%