secure logo uploading, avoid frame-inclusion, adjustments to SECURITY.md and minor changes in UI for domain import and darkmode

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Settings/Store.php

@@ -415,13 +415,18 @@ class Store
 				}
 
 				// Make sure mime-type matches an image
-				if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), [
-					'image/jpeg',
-					'image/jpg',
-					'image/png',
-					'image/gif'
-				])) {
-					throw new Exception("Uploaded file not a valid image");
+				if (function_exists('finfo_open')) {
+					$finfo = finfo_open(FILEINFO_MIME_TYPE);
+					$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
+					finfo_close($finfo);
+				} else {
+					$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
+				}
+				if (empty($mimetype)) {
+					$mimetype = 'application/octet-stream';
+				}
+				if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
+					throw new \Exception("Uploaded file is not a valid image");
 				}
 
 				// Determine file extension
@@ -429,6 +434,15 @@ class Store
 				$file_extension = strtolower(array_pop($spl));
 				unset($spl);
 
+				if (!in_array($file_extension, [
+					'jpeg',
+					'jpg',
+					'png',
+					'gif'
+				])) {
+					throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
+				}
+
 				// Move file
 				if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
 					throw new Exception("Unable to save image to img folder");