Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/api/cms/upload-spielplan-pdf.post.js

@@ -2,6 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { assertPdfMagicHeader } from '../../utils/upload-validation.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -10,8 +11,10 @@ const storage = multer.diskStorage({
     cb(null, uploadPath)
   },
   filename: (req, file, cb) => {
-    const type = req.body.type
-    const filename = `spielplan_${type}.pdf`
+    // WICHTIG: Validieren, bevor der Dateiname gebaut wird (sonst Pfad-/Filename-Injection möglich)
+    const type = String(req.body?.type || '').trim()
+    const safeType = ['gesamt', 'erwachsene', 'nachwuchs'].includes(type) ? type : 'invalid'
+    const filename = `spielplan_${safeType}.pdf`
     cb(null, filename)
   }
 })
@@ -85,6 +88,8 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    await assertPdfMagicHeader(file.path)
+
     if (!type || !['gesamt', 'erwachsene', 'nachwuchs'].includes(type)) {
       // Lösche die hochgeladene Datei
       await fs.unlink(file.path)