CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

[SECURITY] Tokens for downloading answer attachments

Browse Source
This commit is contained in:
Raphael Michel
2017-08-20 16:59:45 +02:00
parent 5c91352bae
commit 1a42a54d98
10 changed files with 132 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/pretix/helpers/safedownload.py Normal file
View File

@@ -0,0 +1,18 @@
import hashlib
from django.core.signing import BadSignature, TimestampSigner
def get_token(request, answer):
payload = '{}:{}'.format(request.session.session_key, answer.pk)
signer = TimestampSigner()
return signer.sign(hashlib.sha1(payload.encode()).hexdigest())
def check_token(request, answer, token):
payload = hashlib.sha1('{}:{}'.format(request.session.session_key, answer.pk).encode()).hexdigest()
signer = TimestampSigner()
try:
return payload == signer.unsign(token, max_age=3600 * 24)
except BadSignature:
return False