New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Static export leaks list of all conferences on that pretalx instance, including images #488

Closed
MacLemon opened this Issue Aug 29, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@MacLemon
Contributor

MacLemon commented Aug 29, 2018

Expected Behavior

A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.

Current Behavior

When downloading the static export of one conference as a .zip archive that archive contains a media folder which has subfolders for all other conferences by slug. These media/slug/images/ABCDE/ folders contains images for submissions.

Steps to Reproduce

  1. Navigate to https://pretalx.example.orgorga/event/slug/schedule/export
  2. Click on [Download ZIP]
  3. Uncompress the downloaded ZIP archive
  4. Inspect the contents and get to know all the slugs for other conferences.

Context

This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.

Your Environment

  • Version used: 0.7.1 (latest release)
  • Environment name and version Browser independent, python 3.6
  • Operating System and version (desktop or mobile): macOS, Desktop
  • Link to your instance, if in production: https://conference.c3w.at/

@rixx rixx added the issue:bug label Aug 29, 2018

@rixx rixx closed this in a38769e Aug 30, 2018

rixx added a commit that referenced this issue Aug 31, 2018

@rixx

This comment has been minimized.

Member

rixx commented Aug 31, 2018

Thank you for the report! The issue seems to be fixed now.
(In the future, we'd appreciate reporting of security relevant issues via email)

rixx added a commit that referenced this issue Aug 31, 2018

@MacLemon

This comment has been minimized.

Contributor

MacLemon commented Aug 31, 2018

I don't see a security problem with this. It's an info leak and may be even a privacy issue, but no security problem. Either way, I'll be more considerate when reporting similar issues in the past.
Thanks for the fix! Much appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment