[SECURITY] Prevent access to arbitrary cached files by UUID (CVE-2025-14881)

2025-12-18 12:52:04 +01:00
parent 847dc0f992
commit aa9c478c30
6 changed files with 52 additions and 8 deletions
--- a/src/pretix/control/views/modelimport.py
+++ b/src/pretix/control/views/modelimport.py
@@ -38,6 +38,7 @@ from datetime import timedelta

 from django.conf import settings
 from django.contrib import messages
+from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -85,6 +86,7 @@ class BaseImportView(TemplateView):
            filename='import.csv',
            type='text/csv',
        )
+        cf.bind_to_session(request, "modelimport")
        cf.file.save('import.csv', request.FILES['file'])

        if self.request.POST.get("charset") in ENCODINGS:
@@ -137,7 +139,10 @@ class BaseProcessView(AsyncAction, FormView):

    @cached_property
    def file(self):
-        return get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")
+        cf = get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")
+        if not cf.allowed_for_session(self.request, "modelimport"):
+            raise Http404()
+        return cf

    @cached_property
    def parsed(self):
--- a/src/pretix/control/views/pdf.py
+++ b/src/pretix/control/views/pdf.py
@@ -247,7 +247,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
        cf = None
        if request.POST.get("background", "").strip():
            try:
-                cf = CachedFile.objects.get(id=request.POST.get("background"))
+                cf = CachedFile.objects.get(id=request.POST.get("background"), web_download=True)
            except CachedFile.DoesNotExist:
                pass

--- a/src/pretix/control/views/shredder.py
+++ b/src/pretix/control/views/shredder.py
@@ -38,7 +38,8 @@ from collections import OrderedDict
 from zipfile import ZipFile

 from django.contrib import messages
-from django.shortcuts import get_object_or_404, redirect
+from django.http import Http404
+from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.translation import get_language, gettext_lazy as _
@@ -94,6 +95,8 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
            cf = CachedFile.objects.get(pk=kwargs['file'])
        except CachedFile.DoesNotExist:
            raise ShredError(_("The download file could no longer be found on the server, please try to start again."))
+        if not cf.allowed_for_session(self.request):
+            raise Http404()

        with ZipFile(cf.file.file, 'r') as zipfile:
            indexdata = json.loads(zipfile.read('index.json').decode())
@@ -111,7 +114,7 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
        ctx = super().get_context_data(**kwargs)
        ctx['shredders'] = self.shredders
        ctx['download_on_shred'] = any(shredder.require_download_confirmation for shredder in shredders)
-        ctx['file'] = get_object_or_404(CachedFile, pk=kwargs.get("file"))
+        ctx['file'] = cf
        return ctx