[SECURITY] Bind relevant cached file downloads to the current session

2020-12-18 19:17:23 +01:00
parent a3dd015c23
commit c60a25f2bc
11 changed files with 42 additions and 9 deletions
--- a/src/pretix/base/views/cachedfiles.py
+++ b/src/pretix/base/views/cachedfiles.py
@@ -13,7 +13,11 @@ class DownloadView(TemplateView):
    @cached_property
    def object(self) -> CachedFile:
        try:
-            return get_object_or_404(CachedFile, id=self.kwargs['id'])
+            o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
+            if o.session_key:
+                if o.session_key != self.request.session.session_key:
+                    raise Http404()
+            return o
        except ValueError:   # Invalid URLs
            raise Http404()