security: validate staged import file identifiers

[RussH]

Security: hardens import temporary file handling by validating staged import file identifiers before they are used to build paths under CATS_TEMP_DIR.

The import flow accepted a posted fileName value during staged imports. This change trims and validates the posted identifier before use, requiring it to:

• be non-empty
• match basename(fileID), preventing path traversal
• exist in the server-side session whitelist of valid staged import file IDs
• match using strict in_array() comparison

Invalid staged import file identifiers now return to the import screen before any file path is constructed or processed.

This was supplied as a git bundle for review rather than as a GitHub PR, so it was imported into a separate branch and reviewed before opening this PR.

Local checks performed:

• git bundle verify passed
• git fsck --full completed without corruption errors
• branch contains two commits:
  • a9f4342 Harden import temporary file handling
  • ba0acbd Validate staged import file identifiers
• changed file: modules/import/ImportUI.php
• php -l modules/import/ImportUI.php passed
• invalid fileName paths return before import processing continues

[anonymoususer72041]

@RussH please merge (#806 and) #807 first

[anonymoususer72041]

I suggest to drop the merge commit by rebasing instead of merging master.