From d27fefe4da66c0105569daba9b707541d5d83586 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Thu, 8 Dec 2016 12:22:04 +0100
Subject: [PATCH] Improve URL parameter validation

---
 src/pretix/base/views/cachedfiles.py |  7 +++++--
 src/pretix/control/views/orders.py   | 11 +++++++----
 src/pretix/presale/urls.py           |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/pretix/base/views/cachedfiles.py b/src/pretix/base/views/cachedfiles.py
index 6911924c6..8eb838478 100644
--- a/src/pretix/base/views/cachedfiles.py
+++ b/src/pretix/base/views/cachedfiles.py
@@ -1,6 +1,6 @@
 import os
 
-from django.http import FileResponse, HttpRequest, HttpResponse
+from django.http import FileResponse, Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django.views.generic import TemplateView
@@ -13,7 +13,10 @@ class DownloadView(TemplateView):
 
     @cached_property
     def object(self) -> CachedFile:
-        return get_object_or_404(CachedFile, id=self.kwargs['id'])
+        try:
+            return get_object_or_404(CachedFile, id=self.kwargs['id'])
+        except ValueError:   # Invalid URLs
+            raise Http404()
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         if 'ajax' in request.GET:
diff --git a/src/pretix/control/views/orders.py b/src/pretix/control/views/orders.py
index f729ebdef..2b56b4019 100644
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -100,10 +100,13 @@ class OrderView(EventPermissionRequiredMixin, DetailView):
     model = Order
 
     def get_object(self, queryset=None):
-        return Order.objects.get(
-            event=self.request.event,
-            code=self.kwargs['code'].upper()
-        )
+        try:
+            return Order.objects.get(
+                event=self.request.event,
+                code=self.kwargs['code'].upper()
+            )
+        except Order.DoesNotExist:
+            raise Http404()
 
     def _redirect_back(self):
         return redirect('control:event.order',
diff --git a/src/pretix/presale/urls.py b/src/pretix/presale/urls.py
index 1a7f3cfad..c4049c87b 100644
--- a/src/pretix/presale/urls.py
+++ b/src/pretix/presale/urls.py
@@ -48,7 +48,7 @@ event_patterns = [
     url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/download/(?P<position>[0-9]+)/(?P<output>[^/]+)$',
         pretix.presale.views.order.OrderDownload.as_view(),
         name='event.order.download'),
-    url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[^/]+)$',
+    url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[0-9]+)$',
         pretix.presale.views.order.InvoiceDownload.as_view(),
         name='event.invoice.download'),
     url(r'^$', pretix.presale.views.event.EventIndex.as_view(), name='event.index'),