Static export leaks list of all conferences on that pretalx instance, including images

[MacLemon]

Expected Behavior

A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.

Current Behavior

When downloading the static export of one conference as a .zip archive that archive contains a media folder which has subfolders for all other conferences by slug. These media/slug/images/ABCDE/ folders contains images for submissions.

Steps to Reproduce

1. Navigate to https://pretalx.example.orgorga/event/slug/schedule/export
2. Click on [Download ZIP]
3. Uncompress the downloaded ZIP archive
4. Inspect the contents and get to know all the slugs for other conferences.

Context

This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.

Your Environment

• Version used: 0.7.1 (latest release)
• Environment name and version Browser independent, python 3.6
• Operating System and version (desktop or mobile): macOS, Desktop
• Link to your instance, if in production: https://conference.c3w.at/

[rixx]

Thank you for the report! The issue seems to be fixed now.
(In the future, we'd appreciate reporting of security relevant issues via email)

[MacLemon]

I don't see a security problem with this. It's an info leak and may be even a privacy issue, but no security problem. Either way, I'll be more considerate when reporting similar issues in the past.
Thanks for the fix! Much appreciated!