CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

[SECURITY] Reusable media export: Respect giftcard permissions (CVE-2026-11764) (#6261)

Browse Source
This commit is contained in:
Richard Schreiber
2026-06-09 13:20:48 +02:00
committed by Raphael Michel
parent dfd388ddeb
commit 5d449ea313
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/pretix/base/exporters/reusablemedia.py
View File

@@ -61,18 +61,23 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
yield headers yield headers
yield self.ProgressSetTotal(total=media.count()) yield self.ProgressSetTotal(total=media.count())
can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
for medium in media.iterator(chunk_size=1000): for medium in media.iterator(chunk_size=1000):
row = [ giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
if giftcard_secret and not can_read_giftcards:
giftcard_secret = giftcard_secret[:3] + ""
yield [
medium.type, medium.type,
medium.identifier, medium.identifier,
_('Yes') if medium.active else _('No'), _('Yes') if medium.active else _('No'),
date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '', date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
medium.customer.identifier if medium.customer_id else '', medium.customer.identifier if medium.customer_id else '',
f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '', f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '',
medium.linked_giftcard.secret if medium.linked_giftcard_id else '', giftcard_secret,
medium.notes, medium.notes,
] ]
yield row
def get_filename(self): def get_filename(self):
return f'{self.organizer.slug}_media' return f'{self.organizer.slug}_media'