Security Nice-to-Have: Dockerfile, Magic-Bytes, Path-Traversal, TABLE_MAP, Deps

- Dockerfile: non-root user appuser, chown /data + /app
- media_utils: validate_upload() Magic-Byte-Check (JPEG/PNG/GIF/WebP/MP4/WebM)
- media_utils: safe_media_path() Path-Traversal-Schutz beim Löschen
- diary/health/dogs: safe_media_path() statt os.path.join + lstrip
- diary: validate_upload() vor jedem Medien-Upload
- forum: _LIKE_TABLE dict statt dynamischer String-Interpolation
- requirements: uvicorn 0.34, PyJWT 2.10.1, pydantic 2.10.6, bcrypt 4.3, httpx 0.28.1, anthropic 0.49
- SW by-v319, APP_VER 307

backend/routes/dogs.py

@@ -8,6 +8,7 @@ from typing import Optional
 from database import db
 from auth import get_current_user
 from routes.push import send_push_to_user
+from media_utils import safe_media_path
 
 router    = APIRouter()
 MEDIA_DIR = os.getenv("MEDIA_DIR", "/data/media")
@@ -208,8 +209,8 @@ async def delete_photo(dog_id: int, user=Depends(get_current_user)):
     if not row:
         raise HTTPException(404, "Hund nicht gefunden.")
     if row["foto_url"]:
-        path = os.path.join(MEDIA_DIR, row["foto_url"].lstrip("/media/"))
-        if os.path.exists(path):
+        path = safe_media_path(MEDIA_DIR, row["foto_url"])
+        if path and os.path.exists(path):
             os.remove(path)
     with db() as conn:
         conn.execute(