CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-09 15:54:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed a possible timing attack channel

Browse Source
This commit is contained in:
Raphael Michel
2016-09-12 20:38:41 +02:00
parent f165275ade
commit 01f0673683
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/pretix/presale/views/order.py
View File

@@ -34,10 +34,17 @@ class OrderDetailMixin:
@cached_property @cached_property
def order(self): def order(self):
try: try:
return Order.objects.get(secret=self.kwargs['secret'], order = Order.objects.get(event=self.request.event, code=self.kwargs['order'])
event=self.request.event, code=self.kwargs['order']) if order.secret.lower() == self.kwargs['secret'].lower():
return order
else:
return None
except Order.DoesNotExist: except Order.DoesNotExist:
return None # Do a comparison as well to harden timing attacks
if 'abcdefghijklmnopq'.lower() == self.kwargs['secret'].lower():
return None
else:
return None
@cached_property @cached_property
def payment_provider(self): def payment_provider(self):