You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.
Current Behavior
When downloading the static export of one conference as a .zip archive that archive contains a media folder which has subfolders for all other conferences by slug. These media/slug/images/ABCDE/ folders contains images for submissions.
Steps to Reproduce
Navigate to https://pretalx.example.orgorga/event/slug/schedule/export
Click on [Download ZIP]
Uncompress the downloaded ZIP archive
Inspect the contents and get to know all the slugs for other conferences.
Context
This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.
Your Environment
Version used: 0.7.1 (latest release)
Environment name and version Browser independent, python 3.6
Operating System and version (desktop or mobile): macOS, Desktop
I don't see a security problem with this. It's an info leak and may be even a privacy issue, but no security problem. Either way, I'll be more considerate when reporting similar issues in the past.
Thanks for the fix! Much appreciated!
Expected Behavior
A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.
Current Behavior
When downloading the static export of one conference as a .zip archive that archive contains a
media
folder which has subfolders for all other conferences by slug. Thesemedia/slug/images/ABCDE/
folders contains images for submissions.Steps to Reproduce
https://pretalx.example.orgorga/event/slug/schedule/export
Context
This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.
Your Environment
The text was updated successfully, but these errors were encountered: