Fixed a possible timing attack channel

2026-05-07 15:34:02 +00:00 · 2016-09-12 20:38:41 +02:00
parent f165275ade
commit 01f0673683
1 changed files with 10 additions and 3 deletions
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -34,10 +34,17 @@ class OrderDetailMixin:
    @cached_property
    def order(self):
        try:
-            return Order.objects.get(secret=self.kwargs['secret'],
-                                     event=self.request.event, code=self.kwargs['order'])
+            order = Order.objects.get(event=self.request.event, code=self.kwargs['order'])
+            if order.secret.lower() == self.kwargs['secret'].lower():
+                return order
+            else:
+                return None
        except Order.DoesNotExist:
-            return None
+            # Do a comparison as well to harden timing attacks
+            if 'abcdefghijklmnopq'.lower() == self.kwargs['secret'].lower():
+                return None
+            else:
+                return None

    @cached_property
    def payment_provider(self):