upload_photo endpoint stored raw uploaded bytes verbatim — EXIF GPS/device
fingerprint leaked, polyglot files (image + appended payload) survived MIME
check and were served back with image/* content-type.
Add services/image_sanitizer.py: open via Pillow, force full decode, drop
EXIF, normalize to RGB, cap longest edge at 2400px, re-encode as JPEG
quality=85. Pipe upload_photo through it; reject undecodable input with 400.
Pin Pillow>=10.3.0 explicitly (was transitive via weasyprint).
Closes finding #6 from 2026-05-24 trade-in audit.