b120415d53
Enhanced validateFileUpload() function in functions.php with comprehensive security: - Hardcoded MIME type whitelist per file type (profile_picture, proof_of_payment, document) - Strict file size limits per type (5MB images, 10MB documents) - Extension validation against whitelist - Double extension prevention (e.g., shell.php.jpg) - MIME type verification using finfo - Image validation with getimagesize() - is_uploaded_file() verification - Random filename generation to prevent path traversal Updated file upload handlers: - upload_profile_picture.php - Profile picture uploads (JPEG, PNG, GIF, WEBP, 5MB max) - submit_pop.php - Proof of payment uploads (PDF only, 10MB max) + CSRF validation + audit logging - add_campsite.php - Campsite thumbnail uploads + input validation + CSRF validation + audit logging Security improvements: - All uploads use random filenames to prevent directory traversal - All uploads use secure file permissions (0644) - File validation occurs before move_uploaded_file() - Comprehensive error logging for failed uploads - Audit logging for successful file operations
2.7 KiB
2.7 KiB