CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Improve URL parameter validation

Browse Source
This commit is contained in:
Raphael Michel
2016-12-08 12:22:04 +01:00
parent 8cb977e4d6
commit d27fefe4da
3 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/pretix/base/views/cachedfiles.py
View File

@@ -1,6 +1,6 @@
import os import os
from django.http import FileResponse, HttpRequest, HttpResponse from django.http import FileResponse, Http404, HttpRequest, HttpResponse
from django.shortcuts import get_object_or_404 from django.shortcuts import get_object_or_404
from django.utils.functional import cached_property from django.utils.functional import cached_property
from django.views.generic import TemplateView from django.views.generic import TemplateView
@@ -13,7 +13,10 @@ class DownloadView(TemplateView):
@cached_property @cached_property
def object(self) -> CachedFile: def object(self) -> CachedFile:
return get_object_or_404(CachedFile, id=self.kwargs['id']) try:
return get_object_or_404(CachedFile, id=self.kwargs['id'])
except ValueError: # Invalid URLs
raise Http404()
def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse: def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
if 'ajax' in request.GET: if 'ajax' in request.GET:

11
src/pretix/control/views/orders.py
View File

@@ -100,10 +100,13 @@ class OrderView(EventPermissionRequiredMixin, DetailView):
model = Order model = Order
def get_object(self, queryset=None): def get_object(self, queryset=None):
return Order.objects.get( try:
event=self.request.event, return Order.objects.get(
code=self.kwargs['code'].upper() event=self.request.event,
) code=self.kwargs['code'].upper()
)
except Order.DoesNotExist:
raise Http404()
def _redirect_back(self): def _redirect_back(self):
return redirect('control:event.order', return redirect('control:event.order',

2
src/pretix/presale/urls.py
View File

@@ -48,7 +48,7 @@ event_patterns = [
url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/download/(?P<position>[0-9]+)/(?P<output>[^/]+)$', url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/download/(?P<position>[0-9]+)/(?P<output>[^/]+)$',
pretix.presale.views.order.OrderDownload.as_view(), pretix.presale.views.order.OrderDownload.as_view(),
name='event.order.download'), name='event.order.download'),
url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[^/]+)$', url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[0-9]+)$',
pretix.presale.views.order.InvoiceDownload.as_view(), pretix.presale.views.order.InvoiceDownload.as_view(),
name='event.invoice.download'), name='event.invoice.download'),
url(r'^$', pretix.presale.views.event.EventIndex.as_view(), name='event.index'), url(r'^$', pretix.presale.views.event.EventIndex.as_view(), name='event.index'),