Security Nice-to-Have: Dockerfile, Magic-Bytes, Path-Traversal, TABLE_MAP, Deps
- Dockerfile: non-root user appuser, chown /data + /app - media_utils: validate_upload() Magic-Byte-Check (JPEG/PNG/GIF/WebP/MP4/WebM) - media_utils: safe_media_path() Path-Traversal-Schutz beim Löschen - diary/health/dogs: safe_media_path() statt os.path.join + lstrip - diary: validate_upload() vor jedem Medien-Upload - forum: _LIKE_TABLE dict statt dynamischer String-Interpolation - requirements: uvicorn 0.34, PyJWT 2.10.1, pydantic 2.10.6, bcrypt 4.3, httpx 0.28.1, anthropic 0.49 - SW by-v319, APP_VER 307
This commit is contained in:
parent
15f854d96c
commit
71e588a240
9 changed files with 100 additions and 29 deletions
|
|
@ -476,12 +476,14 @@ async def upload_post_foto(
|
|||
# ------------------------------------------------------------------
|
||||
# POST /api/forum/like — Toggle
|
||||
# ------------------------------------------------------------------
|
||||
_LIKE_TABLE = {'thread': 'forum_threads', 'post': 'forum_posts'}
|
||||
|
||||
@router.post("/like")
|
||||
async def toggle_like(data: LikeBody, user=Depends(get_current_user)):
|
||||
if data.target_type not in ('thread', 'post'):
|
||||
if data.target_type not in _LIKE_TABLE:
|
||||
raise HTTPException(400, "Ungültiger Typ.")
|
||||
|
||||
table = f"forum_{data.target_type}s"
|
||||
table = _LIKE_TABLE[data.target_type]
|
||||
with db() as conn:
|
||||
existing = conn.execute(
|
||||
"SELECT 1 FROM forum_likes WHERE user_id=? AND target_type=? AND target_id=?",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue