Widget: Hide dialogs by default (Z#23218872)

[SECURITY] Prevent access to arbitrary cached files by UUID (CVE-2025-14881)
Re-add missing trimmed for blocktrans (#5735 )
2025-12-19 16:22:26 +00:00 · 2025-12-19 16:03:36 +01:00 · 2025-12-19 12:59:21 +01:00 · 2025-12-18 20:28:06 +01:00
9 changed files with 58 additions and 11 deletions
--- a/src/pretix/api/views/exporters.py
+++ b/src/pretix/api/views/exporters.py
@@ -74,6 +74,11 @@ class ExportersMixin:
    @action(detail=True, methods=['GET'], url_name='download', url_path='download/(?P<asyncid>[^/]+)/(?P<cfid>[^/]+)')
    def download(self, *args, **kwargs):
        cf = get_object_or_404(CachedFile, id=kwargs['cfid'])
+        if not cf.allowed_for_session(self.request, "exporters-api"):
+            return Response(
+                {'status': 'failed', 'message': 'Unknown file ID or export failed'},
+                status=status.HTTP_410_GONE
+            )
        if cf.file:
            resp = ChunkBasedFileResponse(cf.file.file, content_type=cf.type)
            resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename).encode("ascii", "ignore")
@@ -109,7 +114,8 @@ class ExportersMixin:
        serializer = JobRunSerializer(exporter=instance, data=self.request.data, **self.get_serializer_kwargs())
        serializer.is_valid(raise_exception=True)

-        cf = CachedFile(web_download=False)
+        cf = CachedFile(web_download=True)
+        cf.bind_to_session(self.request, "exporters-api")
        cf.date = now()
        cf.expires = now() + timedelta(hours=24)
        cf.save()
--- a/src/pretix/base/models/base.py
+++ b/src/pretix/base/models/base.py
@@ -59,6 +59,37 @@ class CachedFile(models.Model):
    web_download = models.BooleanField(default=True)  # allow web download, True for backwards compatibility in plugins
    session_key = models.TextField(null=True, blank=True)  # only allow download in this session

+    def session_key_for_request(self, request, salt=None):
+        from ...api.models import OAuthAccessToken, OAuthApplication
+        from .devices import Device
+        from .organizer import TeamAPIToken
+
+        if hasattr(request, "auth") and isinstance(request.auth, OAuthAccessToken):
+            k = f'app:{request.auth.application.pk}'
+        elif hasattr(request, "auth") and isinstance(request.auth, OAuthApplication):
+            k = f'app:{request.auth.pk}'
+        elif hasattr(request, "auth") and isinstance(request.auth, TeamAPIToken):
+            k = f'token:{request.auth.pk}'
+        elif hasattr(request, "auth") and isinstance(request.auth, Device):
+            k = f'device:{request.auth.pk}'
+        elif request.session.session_key:
+            k = request.session.session_key
+        else:
+            raise ValueError("No auth method found to bind to")
+
+        if salt:
+            k = f"{k}!{salt}"
+        return k
+
+    def allowed_for_session(self, request, salt=None):
+        return (
+            not self.session_key or
+            self.session_key_for_request(request, salt) == self.session_key
+        )
+
+    def bind_to_session(self, request, salt=None):
+        self.session_key = self.session_key_for_request(request, salt)
+

@receiver(post_delete, sender=CachedFile)
 def cached_file_delete(sender, instance, **kwargs):
--- a/src/pretix/base/views/cachedfiles.py
+++ b/src/pretix/base/views/cachedfiles.py
@@ -36,9 +36,8 @@ class DownloadView(TemplateView):
    def object(self) -> CachedFile:
        try:
            o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
-            if o.session_key:
-                if o.session_key != self.request.session.session_key:
-                    raise Http404()
+            if not o.allowed_for_session(self.request):
+                raise Http404()
            return o
        except (ValueError, ValidationError):   # Invalid URLs
            raise Http404()
--- a/src/pretix/control/views/modelimport.py
+++ b/src/pretix/control/views/modelimport.py
@@ -38,6 +38,7 @@ from datetime import timedelta

 from django.conf import settings
 from django.contrib import messages
+from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -85,6 +86,7 @@ class BaseImportView(TemplateView):
            filename='import.csv',
            type='text/csv',
        )
+        cf.bind_to_session(request, "modelimport")
        cf.file.save('import.csv', request.FILES['file'])

        if self.request.POST.get("charset") in ENCODINGS:
@@ -137,7 +139,10 @@ class BaseProcessView(AsyncAction, FormView):

    @cached_property
    def file(self):
-        return get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")
+        cf = get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")
+        if not cf.allowed_for_session(self.request, "modelimport"):
+            raise Http404()
+        return cf

    @cached_property
    def parsed(self):
--- a/src/pretix/control/views/pdf.py
+++ b/src/pretix/control/views/pdf.py
@@ -247,7 +247,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
        cf = None
        if request.POST.get("background", "").strip():
            try:
-                cf = CachedFile.objects.get(id=request.POST.get("background"))
+                cf = CachedFile.objects.get(id=request.POST.get("background"), web_download=True)
            except CachedFile.DoesNotExist:
                pass

--- a/src/pretix/control/views/shredder.py
+++ b/src/pretix/control/views/shredder.py
@@ -38,7 +38,8 @@ from collections import OrderedDict
 from zipfile import ZipFile

 from django.contrib import messages
-from django.shortcuts import get_object_or_404, redirect
+from django.http import Http404
+from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.translation import get_language, gettext_lazy as _
@@ -94,6 +95,8 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
            cf = CachedFile.objects.get(pk=kwargs['file'])
        except CachedFile.DoesNotExist:
            raise ShredError(_("The download file could no longer be found on the server, please try to start again."))
+        if not cf.allowed_for_session(self.request):
+            raise Http404()

        with ZipFile(cf.file.file, 'r') as zipfile:
            indexdata = json.loads(zipfile.read('index.json').decode())
@@ -111,7 +114,7 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
        ctx = super().get_context_data(**kwargs)
        ctx['shredders'] = self.shredders
        ctx['download_on_shred'] = any(shredder.require_download_confirmation for shredder in shredders)
-        ctx['file'] = get_object_or_404(CachedFile, pk=kwargs.get("file"))
+        ctx['file'] = cf
        return ctx


--- a/src/pretix/presale/templates/pretixpresale/event/fragment_event_info.html
+++ b/src/pretix/presale/templates/pretixpresale/event/fragment_event_info.html
@@ -23,7 +23,7 @@
                <br>
                <span data-time="{{ ev.date_from.isoformat }}" data-timezone="{{ request.event.timezone }}">
                    {% html_time ev.date_from "TIME_FORMAT" attr_fmt="H:i" as time%}
-                    {% blocktrans with time=time %}
+                    {% blocktrans trimmed with time=time %}
                        Begin: {{ time }}
                    {% endblocktrans %}
                </span>
@@ -31,7 +31,7 @@
                    <br>
                    <span data-time="{{ ev.date_to.isoformat }}" data-timezone="{{ request.event.timezone }}">
                        {% html_time ev.date_to "TIME_FORMAT" attr_fmt="H:i" as time%}
-                        {% blocktrans with time=time %}
+                        {% blocktrans trimmed with time=time %}
                            End: {{ time }}
                        {% endblocktrans %}
                    </span>
--- a/src/pretix/presale/templates/pretixpresale/fragment_event_list_status.html
+++ b/src/pretix/presale/templates/pretixpresale/fragment_event_list_status.html
@@ -54,7 +54,7 @@
    {% if event.settings.presale_start_show_date %}
        <br><span class="text-muted">
        {% html_time event.event.effective_presale_start "SHORT_DATE_FORMAT" as date %}
-            {% blocktrans with date=date %}
+            {% blocktrans trimmed with date=date %}
                Sale starts {{ date }}
            {% endblocktrans %}
        </span>
--- a/src/pretix/static/pretixpresale/scss/widget.scss
+++ b/src/pretix/static/pretixpresale/scss/widget.scss
@@ -848,6 +848,9 @@ $table-bg-accent: rgba(128, 128, 128, 0.05);
    outline: 2px solid $brand-primary;
    outline-offset: 2px;
  }
+  &:not([open]) {
+    display: none;
+  }
 }
 .pretix-widget-frame-isloading:focus {
  outline: none;
Author	SHA1	Message	Date
Raphael Michel	81f16dc242	Widget: Hide dialogs by default (Z#23218872)	2025-12-19 16:03:36 +01:00
Raphael Michel	aa9c478c30	[SECURITY] Prevent access to arbitrary cached files by UUID (CVE-2025-14881)	2025-12-19 12:59:21 +01:00
Richard Schreiber	847dc0f992	Re-add missing trimmed for blocktrans (#5735 )	2025-12-18 20:28:06 +01:00