Chore: Sprint32-36 Zwischenstand — alle Änderungen aus dieser Session committen

2026-05-03 11:09:39 +02:00 · 2026-05-03 11:09:39 +02:00 · 747c353444
commit 747c353444
parent f4052fbb7d
20 changed files with 3115 additions and 63 deletions
--- a/backend/routes/wiki.py
+++ b/backend/routes/wiki.py
@ -317,19 +317,24 @@ async def submit_foto(
    if not rights_confirmed:
        raise HTTPException(400, "Bildrechte-Bestätigung fehlt.")

-    # Dateiformat prüfen
-    ct = file.content_type or ""
-    if not ct.startswith("image/"):
-        raise HTTPException(400, "Nur Bilddateien erlaubt.")
+    _IMAGE_MAGIC = [
+        b"\xff\xd8\xff",           # JPEG
+        b"\x89PNG\r\n\x1a\n",      # PNG
+        b"RIFF",                   # WebP (RIFF....WEBP)
+        b"GIF87a", b"GIF89a",      # GIF
+    ]

    os.makedirs(SUBMIT_DIR, exist_ok=True)
-    ts       = int(time.time())
-    filename = f"{slug}_{user['id']}_{ts}.jpg"
-    path     = os.path.join(SUBMIT_DIR, filename)
-
+    ts      = int(time.time())
    content = await file.read()
    if len(content) > 8 * 1024 * 1024:
        raise HTTPException(400, "Datei zu groß (max. 8 MB).")
+
+    if not any(content.startswith(magic) for magic in _IMAGE_MAGIC):
+        raise HTTPException(400, "Nur Bilddateien erlaubt (JPEG, PNG, WebP, GIF).")
+
+    filename = f"{slug}_{user['id']}_{ts}.jpg"
+    path     = os.path.join(SUBMIT_DIR, filename)
    with open(path, "wb") as f:
        f.write(content)