fix: Shared PDF authentication bypass (CVE-2026-34376)

Author: mrmn2

pdfding/pdf/migrations/0025_add_session_to_shared_pdf.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.12 on 2026-03-28 11:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pdf', '0024_remove_unneeded_null_true'),
+        ('sessions', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sharedpdf',
+            name='sessions',
+            field=models.ManyToManyField(to='sessions.session'),
+        ),
+    ]

pdfding/pdf/models/shared_pdf_models.py

@@ -2,6 +2,7 @@
 from uuid import uuid4
 
 from django.contrib.humanize.templatetags.humanize import naturaltime
+from django.contrib.sessions.models import Session
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from pdf.models.helpers import get_collection_dir
@@ -30,6 +31,7 @@ class SharedPdf(models.Model):
     password = models.CharField(max_length=128, null=True, blank=True, help_text=_('Optional'))
     expiration_date = models.DateTimeField(null=True, blank=True)
     deletion_date = models.DateTimeField(null=True, blank=True)
+    sessions = models.ManyToManyField(Session)
 
     def __str__(self) -> str:
         return self.name  # pragma: no cover

pdfding/pdf/services/shared_pdf_services.py

@@ -1,10 +1,34 @@
 from datetime import datetime, timedelta, timezone
 
+from django.contrib.sessions.models import Session
+from pdf.models.shared_pdf_models import SharedPdf
+
+
+def check_shared_access_allowed_by_identifier(identifier: str, session: Session):
+    """Check if access to shared pdf is allowed based on session."""
+
+    shared_pdf = SharedPdf.objects.get(pk=identifier)
+
+    return check_shared_access_allowed(shared_pdf, session)
+
+
+def check_shared_access_allowed(shared_pdf: SharedPdf, session: Session):
+    """Check if access to shared pdf is allowed based on session."""
+
+    if (
+        session
+        and (session.get_expiry_date() - datetime.now(timezone.utc)).total_seconds() > 0
+        and shared_pdf.sessions.filter(session_key=session.session_key).count()
+    ):
+        return True
+    else:
+        return False
+
 
 def get_future_datetime(time_input: str) -> datetime | None:
     """
     Gets a datetime in the future from now based on the input. Input is in the format _d_h_m, e.g. 1d0h22m.
-    If input is an empty string returns None
+    If input is an empty string returns None.
     """
 
     if not time_input:

pdfding/pdf/templates/viewer.html

@@ -38,7 +38,7 @@
     <link rel="stylesheet" href="../../static/pdfjs/web/viewer.css">
     <link rel="stylesheet" href="{% static 'css/pdf_viewer.css' %}">
     <link rel="icon" type="image/x-icon" href="{% static 'images/logo_with_circle.svg' %}">
-    {# commented until more languages get added to PdfDing }
+    {# commented until more languages get added to PdfDing #}
     {# <link rel="resource" type="application/l10n" href="../../static/pdfjs/web/locale/locale.json"/> #}
     <style>
       :root{

pdfding/pdf/tests/test_services/test_shared_pdf_services.py

@@ -1,14 +1,55 @@
 from datetime import datetime, timedelta, timezone
+from unittest import mock
 
 from django.contrib.auth.models import User
+from django.contrib.sessions.models import Session
 from django.test import TestCase
-from pdf.services.shared_pdf_services import get_future_datetime
+from django.urls import reverse
+from pdf.models.pdf_models import Pdf
+from pdf.models.shared_pdf_models import SharedPdf
+from pdf.services.shared_pdf_services import (
+    check_shared_access_allowed,
+    check_shared_access_allowed_by_identifier,
+    get_future_datetime,
+)
 
 
 class TestSharedPdfServices(TestCase):
     def setUp(self):
         self.user = User.objects.create_user(username='username', password='password', email='a@a.com')
 
+    def test_check_shared_access_allowed(self):
+        # get dummy request
+        response = self.client.get(reverse('pdf_overview'))
+        request = response.wsgi_request
+
+        # create dummy session
+        request.session.create()
+        pdf = Pdf.objects.create(name='bla', collection_id=self.user.id)
+        shared_pdf = SharedPdf.objects.create(pdf=pdf, name='share')
+
+        assert not check_shared_access_allowed(shared_pdf, request.session)
+
+        shared_pdf.sessions.add(Session.objects.get(session_key=request.session.session_key))
+        assert check_shared_access_allowed(shared_pdf, request.session)
+
+        request.session.set_expiry(-1)
+        assert not check_shared_access_allowed(shared_pdf, request.session)
+
+    @mock.patch('pdf.services.shared_pdf_services.check_shared_access_allowed')
+    def test_check_shared_access_allowed_by_identifier(self, mock_check):
+        # get dummy request
+        response = self.client.get(reverse('pdf_overview'))
+        request = response.wsgi_request
+
+        # create dummy session
+        request.session.create()
+        pdf = Pdf.objects.create(name='bla', collection_id=self.user.id)
+        shared_pdf = SharedPdf.objects.create(pdf=pdf, name='share')
+
+        check_shared_access_allowed_by_identifier(shared_pdf.id, request.session)
+        mock_check.assert_called_once_with(shared_pdf, request.session)
+
     def test_get_future_datetime(self):
         expected_result = datetime.now(timezone.utc) + timedelta(days=1, hours=0, minutes=22)
         generated_result = get_future_datetime('1d0h22m')

pdfding/pdf/tests/test_views/test_share_views.py

@@ -2,9 +2,11 @@
 from io import BytesIO
 from unittest.mock import MagicMock, patch
 
+import pytest
 from django.contrib.auth.hashers import make_password
 from django.contrib.auth.models import User
 from django.contrib.messages import get_messages
+from django.http.response import Http404
 from django.test import Client, TestCase
 from django.urls import reverse
 from pdf.forms import (
@@ -258,10 +260,22 @@ def setUp(self):
         self.pdf = None
         set_up(self)
 
-    def test_get_object(self):
+    @patch('pdf.services.shared_pdf_services.check_shared_access_allowed', return_value=True)
+    def test_get_object(self, mock_check):
+        # get dummy request
+        response = self.client.get(reverse('pdf_overview'))
+        shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='share')
+
+        self.assertEqual(shared_pdf.pdf, PdfPublicMixin.get_object(response.wsgi_request, shared_pdf.id))
+
+    @patch('pdf.services.shared_pdf_services.check_shared_access_allowed', return_value=False)
+    def test_get_object_404(self, mock_check):
+        # get dummy request
+        response = self.client.get(reverse('pdf_overview'))
         shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='share')
 
-        self.assertEqual(shared_pdf.pdf, PdfPublicMixin.get_object(None, shared_pdf.id))
+        with pytest.raises(Http404, match='Access to shared pdf not allowed!'):
+            PdfPublicMixin.get_object(response.wsgi_request, shared_pdf.id)
 
 
 class TestBaseSharedPdfPublicView(TestCase):
@@ -279,7 +293,7 @@ def test_get_object(self):
         self.assertEqual(shared_pdf, BaseSharedPdfPublicView.get_shared_pdf_public(None, shared_pdf.id))
 
 
-class TestLoginNotRequiredViews(TestCase):
+class TestViewSharedPdf(TestCase):
     username = 'user'
     password = '12345'
 
@@ -289,7 +303,8 @@ def setUp(self):
         set_up(self)
         self.shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='shared_pdf')
 
-    def test_view_get_active(self):
+    @patch('pdf.views.share_views.check_shared_access_allowed', return_value=False)
+    def test_view_get_active_no_active_session(self, mock_check):
         # test without http referer
         response = self.client.get(reverse('view_shared_pdf', kwargs={'identifier': self.shared_pdf.id}))
 
@@ -298,22 +313,17 @@ def test_view_get_active(self):
         self.assertEqual(response.context['host'], 'testserver')
         self.assertEqual(response.context['form'], ViewSharedPasswordForm)
 
-    def test_view_get_inactive(self):
-        inactive_shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='inactive_shared_pdf', views=2, max_views=1)
+    @patch('pdf.views.share_views.get_viewer_theme_and_color')
+    @patch('pdf.views.share_views.check_shared_access_allowed', return_value=True)
+    def test_view_get_active_active_session(self, mock_check, mock_get_viewer_theme_and_color):
         # test without http referer
-        response = self.client.get(reverse('view_shared_pdf', kwargs={'identifier': inactive_shared_pdf.id}))
-
-        self.assertTemplateUsed(response, 'view_shared_inactive.html')
 
-    @patch('pdf.views.share_views.get_viewer_theme_and_color')
-    def test_view_post_active_no_password(self, mock_get_viewer_theme_and_color):
         mock_get_viewer_theme_and_color.return_value = 'dark', '4 4 4'
-
         self.shared_pdf.pdf.revision = 2
         self.shared_pdf.pdf.save()
         self.assertEqual(self.shared_pdf.views, 0)
 
-        response = self.client.post(reverse('view_shared_pdf', kwargs={'identifier': self.shared_pdf.id}))
+        response = self.client.get(reverse('view_shared_pdf', kwargs={'identifier': self.shared_pdf.id}))
         self.assertEqual(response.context['shared_pdf_id'], self.shared_pdf.id)
         self.assertEqual(response.context['current_page'], 1)
         self.assertEqual(response.context['revision'], 2)
@@ -326,41 +336,47 @@ def test_view_post_active_no_password(self, mock_get_viewer_theme_and_color):
         shared_pdf = SharedPdf.objects.get(pk=self.shared_pdf.id)
         self.assertEqual(shared_pdf.views, 1)
 
-    @patch('pdf.views.share_views.get_viewer_theme_and_color')
-    def test_view_post_active_correct_password(self, mock_get_viewer_theme_and_color):
-        mock_get_viewer_theme_and_color.return_value = 'dark', '4 4 4'
+    def test_view_get_inactive(self):
+        inactive_shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='inactive_shared_pdf', views=2, max_views=1)
+        # test without http referer
+        response = self.client.get(reverse('view_shared_pdf', kwargs={'identifier': inactive_shared_pdf.id}))
 
-        self.shared_pdf.pdf.revision = 2
-        self.shared_pdf.pdf.save()
+        self.assertTemplateUsed(response, 'view_shared_inactive.html')
 
+    def test_view_post_active_no_password(self):
+        unprotected_shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='unprotected_shared_pdf')
+        assert unprotected_shared_pdf.sessions.count() == 0
+
+        response = self.client.post(reverse('view_shared_pdf', kwargs={'identifier': unprotected_shared_pdf.id}))
+
+        assert unprotected_shared_pdf.sessions.count() == 1
+        self.assertRedirects(response, reverse('view_shared_pdf', kwargs={'identifier': unprotected_shared_pdf.id}))
+
+    def test_view_post_active_wrong_password(self):
         protected_shared_pdf = SharedPdf.objects.create(
             pdf=self.pdf, name='protected_shared_pdf', password=make_password('some_pw')
         )
 
         response = self.client.post(
-            reverse('view_shared_pdf', kwargs={'identifier': protected_shared_pdf.id}),
-            data={'password_input': 'some_pw'},
+            reverse('view_shared_pdf', kwargs={'identifier': protected_shared_pdf.id}), data={'password_input': 'wrong'}
         )
 
-        self.assertEqual(response.context['shared_pdf_id'], protected_shared_pdf.id)
-        self.assertEqual(response.context['theme_color'], '4 4 4')
-        self.assertEqual(response.context['theme'], 'dark')
-        self.assertEqual(response.context['revision'], 2)
-        self.assertEqual(response.context['user_view_bool'], False)
-        self.assertTemplateUsed(response, 'viewer.html')
-
-        protected_shared_pdf = SharedPdf.objects.get(pk=protected_shared_pdf.id)
-        self.assertEqual(protected_shared_pdf.views, 1)
+        self.assertIsInstance(response.context['form'], ViewSharedPasswordForm)
+        self.assertTemplateUsed(response, 'view_shared_info.html')
 
-    def test_view_post_active_wrong_password(self):
-        protected_shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='protected_shared_pdf', password='some_pw')
+    def test_view_post_active_correct_password(self):
+        protected_shared_pdf = SharedPdf.objects.create(
+            pdf=self.pdf, name='protected_shared_pdf', password=make_password('some_pw')
+        )
+        assert protected_shared_pdf.sessions.count() == 0
 
         response = self.client.post(
-            reverse('view_shared_pdf', kwargs={'identifier': protected_shared_pdf.id}), data={'password_input': 'wrong'}
+            reverse('view_shared_pdf', kwargs={'identifier': protected_shared_pdf.id}),
+            data={'password_input': 'some_pw'},
         )
 
-        self.assertIsInstance(response.context['form'], ViewSharedPasswordForm)
-        self.assertTemplateUsed(response, 'view_shared_info.html')
+        assert protected_shared_pdf.sessions.count() == 1
+        self.assertRedirects(response, reverse('view_shared_pdf', kwargs={'identifier': protected_shared_pdf.id}))
 
     def test_view_post_inactive(self):
         inactive_shared_pdf = SharedPdf.objects.create(pdf=self.pdf, name='inactive_shared_pdf', views=2, max_views=1)

pdfding/pdf/views/share_views.py

@@ -5,11 +5,12 @@
 from base import base_views
 from django.contrib import messages
 from django.contrib.auth.decorators import login_not_required
+from django.contrib.sessions.models import Session
 from django.core.files import File
 from django.db.models import Q, QuerySet
 from django.db.models.functions import Lower
-from django.http import HttpRequest
-from django.shortcuts import render
+from django.http import Http404, HttpRequest
+from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
@@ -26,7 +27,11 @@
 )
 from pdf.models.shared_pdf_models import SharedPdf
 from pdf.services.pdf_services import check_object_access_allowed
-from pdf.services.shared_pdf_services import get_future_datetime
+from pdf.services.shared_pdf_services import (
+    check_shared_access_allowed,
+    check_shared_access_allowed_by_identifier,
+    get_future_datetime,
+)
 from pdf.services.workspace_services import get_shared_pdfs_of_workspace
 from pdf.views.pdf_views import PdfMixin
 from qrcode.image import svg
@@ -150,7 +155,7 @@ class SharedPdfMixin(BaseShareMixin):
     @staticmethod
     @check_object_access_allowed
     def get_object(request: HttpRequest, identifier: str):
-        """Get the shered pdf specified by the ID"""
+        """Get the shared pdf specified by the ID"""
 
         user_profile = request.user.profile
         shared_pdf = user_profile.all_shared_pdfs.get(id=identifier)
@@ -217,13 +222,15 @@ def process_field(cls, field_name: str, shared_pdf: SharedPdf, request: HttpRequ
 
 class PdfPublicMixin:
     @staticmethod
-    @check_object_access_allowed
-    def get_object(_, shared_id: str):
+    def get_object(request: HttpRequest, shared_id: str):
         """Get the shared pdf specified by the ID"""
 
-        shared_pdf = SharedPdf.objects.get(pk=shared_id)
+        if check_shared_access_allowed_by_identifier(shared_id, request.session):
+            shared_pdf = SharedPdf.objects.get(pk=shared_id)
 
-        return shared_pdf.pdf
+            return shared_pdf.pdf
+        else:
+            raise Http404('Access to shared pdf not allowed!')
 
 
 class BaseSharedPdfPublicView(View):
@@ -302,6 +309,8 @@ def get(self, request: HttpRequest, identifier: str):
 
         if shared_pdf.inactive or shared_pdf.deleted:
             return render(request, 'view_shared_inactive.html')
+        elif check_shared_access_allowed(shared_pdf, request.session):
+            return self.render_shared_pdf_view(request, shared_pdf)
         else:
             return render(
                 request,
@@ -315,15 +324,19 @@ def post(self, request: HttpRequest, identifier: str):
         if shared_pdf.inactive:
             return render(request, 'view_shared_inactive.html')
         else:
-            if shared_pdf.password:
-                form = ViewSharedPasswordForm(request.POST, shared_pdf=shared_pdf)
+            form = ViewSharedPasswordForm(request.POST, shared_pdf=shared_pdf)
+
+            if not shared_pdf.password or form.is_valid():
+                if not request.session or not request.session.session_key:
+                    request.session.create()
+                    # set session expiry to 1 week
+                    request.session.set_expiry(604800)
+                    request.session.save()
 
-                if form.is_valid():
-                    return self.render_shared_pdf_view(request, shared_pdf)
-                else:
-                    return render(request, 'view_shared_info.html', {'shared_pdf': shared_pdf, 'form': form})
+                shared_pdf.sessions.add(Session.objects.get(session_key=request.session.session_key))
+                return redirect('view_shared_pdf', identifier=shared_pdf.id)
             else:
-                return self.render_shared_pdf_view(request, shared_pdf)
+                return render(request, 'view_shared_info.html', {'shared_pdf': shared_pdf, 'form': form})
 
     @staticmethod
     def render_shared_pdf_view(request: HttpRequest, shared_pdf: SharedPdf):