From 7b93cc57dbfbb574b1b06e32839f838b82efb0cd Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Wed, 27 May 2026 13:58:44 +0200 Subject: [PATCH] [SECURITY] Add missing session check for cached files (CVE-2026-9712) --- src/pretix/plugins/ticketoutputpdf/api.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pretix/plugins/ticketoutputpdf/api.py b/src/pretix/plugins/ticketoutputpdf/api.py index 231c48b0f..66d0d8a52 100644 --- a/src/pretix/plugins/ticketoutputpdf/api.py +++ b/src/pretix/plugins/ticketoutputpdf/api.py @@ -229,6 +229,11 @@ class TicketRendererViewSet(viewsets.ViewSet): @action(detail=False, methods=['GET'], url_name='download', url_path='download/(?P[^/]+)/(?P[^/]+)') def download(self, *args, **kwargs): cf = get_object_or_404(CachedFile, id=kwargs['cfid']) + if not cf.allowed_for_session(self.request, "ticketoutputpdf-api"): + return Response( + {'status': 'failed', 'message': 'Unknown file ID or export failed'}, + status=status.HTTP_410_GONE + ) if cf.file: resp = ChunkBasedFileResponse(cf.file.file, content_type=cf.type) resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename).encode("ascii", "ignore") @@ -265,6 +270,7 @@ class TicketRendererViewSet(viewsets.ViewSet): serializer.is_valid(raise_exception=True) cf = CachedFile(web_download=False) + cf.bind_to_session(self.request, "ticketoutputpdf-api") cf.date = now() cf.expires = now() + timedelta(hours=24) cf.save()