From 01f0673683836ecfe04b77715317b02d53b59aa3 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 12 Sep 2016 20:38:41 +0200
Subject: [PATCH] Fixed a possible timing attack channel

---
 src/pretix/presale/views/order.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/pretix/presale/views/order.py b/src/pretix/presale/views/order.py
index 1db230e8a6..58491eb7a2 100644
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -34,10 +34,17 @@ class OrderDetailMixin:
     @cached_property
     def order(self):
         try:
-            return Order.objects.get(secret=self.kwargs['secret'],
-                                     event=self.request.event, code=self.kwargs['order'])
+            order = Order.objects.get(event=self.request.event, code=self.kwargs['order'])
+            if order.secret.lower() == self.kwargs['secret'].lower():
+                return order
+            else:
+                return None
         except Order.DoesNotExist:
-            return None
+            # Do a comparison as well to harden timing attacks
+            if 'abcdefghijklmnopq'.lower() == self.kwargs['secret'].lower():
+                return None
+            else:
+                return None
 
     @cached_property
     def payment_provider(self):