Static export leaks list of all conferences on that pretalx instance, including images #488
Labels
Comments
Thank you for the report! The issue seems to be fixed now. |
rixx
added a commit
that referenced
this issue
Aug 31, 2018
I don't see a security problem with this. It's an info leak and may be even a privacy issue, but no security problem. Either way, I'll be more considerate when reporting similar issues in the past. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.
Current Behavior
When downloading the static export of one conference as a .zip archive that archive contains a
media
folder which has subfolders for all other conferences by slug. Thesemedia/slug/images/ABCDE/
folders contains images for submissions.Steps to Reproduce
https://pretalx.example.orgorga/event/slug/schedule/export
Context
This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.
Your Environment
The text was updated successfully, but these errors were encountered: