[SECURITY] Reusable media export: Hide giftcard secret (CVE-2026-11764 backport) (#6262)

2026-06-10 01:15:05 +00:00 · 2026-06-09 13:20:27 +02:00
parent 7e6df3d427
commit 803964da0e
1 changed files with 3 additions and 1 deletions
--- a/src/pretix/base/exporters/reusablemedia.py
+++ b/src/pretix/base/exporters/reusablemedia.py
@@ -69,7 +69,9 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
                date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                medium.customer.identifier if medium.customer_id else '',
                f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '',
-                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
+                # we cannot determine here whether user has permission organizer.giftcards:read
+                # so default to not showing giftcard secret
+                medium.linked_giftcard.secret[:3] + "…" if medium.linked_giftcard_id else '',
                medium.notes,
            ]
            yield row