Static export leaks list of all conferences on that pretalx instance, including images

MacLemon commented 6 years ago

Expected Behavior

A static Fahrplan export for a conference must only export data pertaining to that conference and not export any data regarding another conference that is organised with the same pretalx instance.

Current Behavior

When downloading the static export of one conference as a .zip archive that archive contains a media folder which has subfolders for all other conferences by slug. These media/slug/images/ABCDE/ folders contains images for submissions.

Steps to Reproduce

Navigate to https://pretalx.example.orgorga/event/slug/schedule/export
Click on [Download ZIP]
Uncompress the downloaded ZIP archive
Inspect the contents and get to know all the slugs for other conferences.

Context

This leaks slugs and hence existence of all conferences on that pretalx instance, even conferences that aren't yet public. While the slugs themselves are unlikely to be really sensitive the images might as well be.

Your Environment

Version used: 0.7.1 (latest release)
Environment name and version Browser independent, python 3.6
Operating System and version (desktop or mobile): macOS, Desktop
Link to your instance, if in production: https://conference.c3w.at/

rixx commented 6 years ago

Thank you for the report! The issue seems to be fixed now. (In the future, we'd appreciate reporting of security relevant issues via email)

MacLemon commented 6 years ago

I don't see a security problem with this. It's an info leak and may be even a privacy issue, but no security problem. Either way, I'll be more considerate when reporting similar issues in the past. Thanks for the fix! Much appreciated!

pretalx / pretalx