From 221ce9f0ae548a063baf0c71c4885048af8e4617 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 3 Aug 2016 00:17:11 +0200
Subject: [PATCH] Added configuration options for some secret lengths

---
 doc/admin/config.rst                               | 14 ++++++++++++++
 .../base/migrations/0025_auto_20160802_2202.py     |  1 +
 src/pretix/base/models/invoices.py                 |  2 +-
 src/pretix/base/models/orders.py                   |  5 +++--
 src/pretix/base/models/vouchers.py                 |  3 ++-
 .../templates/pretixcontrol/vouchers/bulk.html     |  3 ++-
 src/pretix/control/views/vouchers.py               |  6 ++++++
 src/pretix/settings.py                             |  6 ++++++
 src/static/pretixcontrol/js/ui/main.js             |  2 +-
 9 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/doc/admin/config.rst b/doc/admin/config.rst
index 267139eac..9bac01577 100644
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -224,5 +224,19 @@ RabbitMQ might be the better choice if you have a complex, multi-server, high-pe
 but as you already should have a redis instance ready for session and lock storage, we recommend
 redis for convenience. See the `Celery documentation`_ for more details.
 
+Secret length
+-------------
+
+If you are really paranoid, you can increase the length of random strings pretix uses in
+various places like order codes, secrets in the ticket QR codes, etc. Example::
+
+    [entropy]
+    ; Order code needs to be < 16 characters, default is 5
+    order_code=5
+    ; Ticket secret needs to be < 64 characters, default is 32
+    ticket_secret=32
+    ; Voucher code needs to be < 255 characters, default is 16
+    voucher_code=16
+
 .. _Python documentation: https://docs.python.org/3/library/configparser.html?highlight=configparser#supported-ini-file-structure
 .. _Celery documentation: http://docs.celeryproject.org/en/latest/configuration.html
diff --git a/src/pretix/base/migrations/0025_auto_20160802_2202.py b/src/pretix/base/migrations/0025_auto_20160802_2202.py
index 7385dfd22..8ac2f36b8 100644
--- a/src/pretix/base/migrations/0025_auto_20160802_2202.py
+++ b/src/pretix/base/migrations/0025_auto_20160802_2202.py
@@ -3,6 +3,7 @@
 from __future__ import unicode_literals
 
 from django.db import migrations, models
+
 import pretix.base.models.orders
 import pretix.base.models.vouchers
 
diff --git a/src/pretix/base/models/invoices.py b/src/pretix/base/models/invoices.py
index d650c9683..49288affa 100644
--- a/src/pretix/base/models/invoices.py
+++ b/src/pretix/base/models/invoices.py
@@ -8,7 +8,7 @@ from django.db.models import Max
 
 
 def invoice_filename(instance, filename: str) -> str:
-    secret = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(14))
+    secret = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))
     return 'invoices/{org}/{ev}/{ev}-{no:05d}-{code}-{secret}.pdf'.format(
         org=instance.event.organizer.slug, ev=instance.event.slug,
         no=instance.invoice_no, code=instance.order.code,
diff --git a/src/pretix/base/models/orders.py b/src/pretix/base/models/orders.py
index 377c6d386..ec32f40e5 100644
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -4,6 +4,7 @@ import string
 from datetime import datetime
 from decimal import Decimal
 
+from django.conf import settings
 from django.db import models
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
@@ -21,7 +22,7 @@ def generate_secret():
 
 def generate_position_secret():
     # Exclude o,0,1,i,l to avoid confusion with bad fonts/printers
-    return ''.join(random.choice('abcdefghjkmnpqrstuvwxyz23456789') for _ in range(32))
+    return ''.join(random.choice('abcdefghjkmnpqrstuvwxyz23456789') for _ in range(settings.ENTROPY['ticket_secret']))
 
 
 class Order(LoggedModel):
@@ -193,7 +194,7 @@ class Order(LoggedModel):
     def assign_code(self):
         charset = list('ABCDEFGHKLMNPQRSTUVWXYZ23456789')
         while True:
-            code = "".join([random.choice(charset) for i in range(5)])
+            code = "".join([random.choice(charset) for i in range(settings.ENTROPY['order_code'])])
             if not Order.objects.filter(event=self.event, code=code).exists():
                 self.code = code
                 return
diff --git a/src/pretix/base/models/vouchers.py b/src/pretix/base/models/vouchers.py
index 309e0ce57..ca9ce7030 100644
--- a/src/pretix/base/models/vouchers.py
+++ b/src/pretix/base/models/vouchers.py
@@ -1,5 +1,6 @@
 import random
 
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
@@ -13,7 +14,7 @@ from .orders import CartPosition, OrderPosition
 def generate_code():
     charset = list('ABCDEFGHKLMNPQRSTUVWXYZ23456789')
     while True:
-        code = "".join([random.choice(charset) for i in range(16)])
+        code = "".join([random.choice(charset) for i in range(settings.ENTROPY['voucher_code'])])
         if not Voucher.objects.filter(code=code).exists():
             return code
 
diff --git a/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html b/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html
index 10ed9338d..e7d5cc489 100644
--- a/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html
+++ b/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html
@@ -17,7 +17,8 @@
                                id="voucher-bulk-codes-num"
                                placeholder="{% trans "Number" %}">
                         <div class="input-group-btn">
-                            <button class="btn btn-default" type="button" id="voucher-bulk-codes-generate">
+                            <button class="btn btn-default" type="button" id="voucher-bulk-codes-generate"
+                                data-length="{{ code_length }}">
                                 {% trans "Generate random codes" %}
                             </button>
                         </div>
diff --git a/src/pretix/control/views/vouchers.py b/src/pretix/control/views/vouchers.py
index 62e0a1c57..854959a38 100644
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.contrib import messages
 from django.core.urlresolvers import resolve, reverse
 from django.db import transaction
@@ -202,3 +203,8 @@ class VoucherBulkCreate(EventPermissionRequiredMixin, CreateView):
             if response:
                 form_class = response
         return form_class
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+        ctx['code_length'] = settings.ENTROPY['voucher_code']
+        return ctx
diff --git a/src/pretix/settings.py b/src/pretix/settings.py
index 07f887eb1..dfccc0171 100644
--- a/src/pretix/settings.py
+++ b/src/pretix/settings.py
@@ -135,6 +135,12 @@ if HAS_CELERY:
 
 SESSION_COOKIE_DOMAIN = config.get('pretix', 'cookie_domain', fallback=None)
 
+ENTROPY = {
+    'order_code': config.getint('entropy', 'order_code', fallback=5),
+    'ticket_secret': config.getint('entropy', 'ticket_secret', fallback=32),
+    'voucher_code': config.getint('entropy', 'voucher_code', fallback=16),
+}
+
 # Internal settings
 
 STATIC_ROOT = os.path.join(os.path.dirname(__file__), 'static.dist')
diff --git a/src/static/pretixcontrol/js/ui/main.js b/src/static/pretixcontrol/js/ui/main.js
index 3ae93ecb9..c2475ddab 100644
--- a/src/static/pretixcontrol/js/ui/main.js
+++ b/src/static/pretixcontrol/js/ui/main.js
@@ -57,7 +57,7 @@ $(function () {
     // Vouchers
     $("#voucher-bulk-codes-generate").click(function () {
         var charset = "ABCDEFGHKLMNPQRSTUVWXYZ23456789",
-            i = 0, j = 0, len = 16,
+            i = 0, j = 0, len = parseInt($(this).attr("data-length")),
             num = parseInt($("#voucher-bulk-codes-num").val()), text = "";
         for (j = 0; j < num; j++) {
             var key = [];