[SECURITY] Prevent access to arbitrary cached files by UUID (CVE-2025-14881)

2025-12-18 12:52:04 +01:00
parent 847dc0f992
commit aa9c478c30
6 changed files with 52 additions and 8 deletions
--- a/src/pretix/control/views/shredder.py
+++ b/src/pretix/control/views/shredder.py
@@ -38,7 +38,8 @@ from collections import OrderedDict
 from zipfile import ZipFile

 from django.contrib import messages
-from django.shortcuts import get_object_or_404, redirect
+from django.http import Http404
+from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.translation import get_language, gettext_lazy as _
@@ -94,6 +95,8 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
            cf = CachedFile.objects.get(pk=kwargs['file'])
        except CachedFile.DoesNotExist:
            raise ShredError(_("The download file could no longer be found on the server, please try to start again."))
+        if not cf.allowed_for_session(self.request):
+            raise Http404()

        with ZipFile(cf.file.file, 'r') as zipfile:
            indexdata = json.loads(zipfile.read('index.json').decode())
@@ -111,7 +114,7 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
        ctx = super().get_context_data(**kwargs)
        ctx['shredders'] = self.shredders
        ctx['download_on_shred'] = any(shredder.require_download_confirmation for shredder in shredders)
-        ctx['file'] = get_object_or_404(CachedFile, pk=kwargs.get("file"))
+        ctx['file'] = cf
        return ctx