CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-27 18:54:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SECURITY] Add missing session check for cached files (CVE-2026-9712)

Browse Source
This commit is contained in:
Raphael Michel
2026-05-27 13:58:44 +02:00
parent 94aec6f511
commit 7b9d095f4e
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pretix/plugins/ticketoutputpdf/api.py
View File

@@ -229,6 +229,11 @@ class TicketRendererViewSet(viewsets.ViewSet):
@action(detail=False, methods=['GET'], url_name='download', url_path='download/(?P<asyncid>[^/]+)/(?P<cfid>[^/]+)')
def download(self, *args, **kwargs):
cf = get_object_or_404(CachedFile, id=kwargs['cfid'])
if not cf.allowed_for_session(self.request, "ticketoutputpdf-api"):
return Response(
{'status': 'failed', 'message': 'Unknown file ID or export failed'},
status=status.HTTP_410_GONE
)
if cf.file:
resp = ChunkBasedFileResponse(cf.file.file, content_type=cf.type)
resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename).encode("ascii", "ignore")
@@ -265,6 +270,7 @@ class TicketRendererViewSet(viewsets.ViewSet):
serializer.is_valid(raise_exception=True)
cf = CachedFile(web_download=False)
cf.bind_to_session(self.request, "ticketoutputpdf-api")
cf.date = now()
cf.expires = now() + timedelta(hours=24)
cf.save()