CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-03 14:54:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve order secret handling (#4139)

Browse Source 
- use hmac.compare_digest for all secret comparisons
- use salted_hmac with sha256 instead of plain sha1 for hashed secrets
- move secret handling into helper functions
This commit is contained in:
Mira
2024-05-23 14:30:16 +02:00
committed by GitHub
parent e93e5c047c
commit 05a2f411db
8 changed files with 251 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/pretix/plugins/paypal2/payment.py
View File

@@ -19,7 +19,6 @@
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import hashlib
import json
import logging
import urllib.parse
@@ -1096,5 +1095,5 @@ class PaypalAPM(PaypalMethod):
return eventreverse(self.event, 'plugins:paypal2:pay', kwargs={
'order': payment.order.code,
'payment': payment.pk,
'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
'hash': payment.order.tagged_secret('plugins:paypal2:pay'),
})

13
src/pretix/plugins/paypal2/views.py
View File

@@ -31,7 +31,6 @@
# Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
import hashlib
import json
import logging
from decimal import Decimal
@@ -81,15 +80,11 @@ logger = logging.getLogger('pretix.plugins.paypal2')
class PaypalOrderView:
def dispatch(self, request, *args, **kwargs):
try:
self.order = request.event.orders.get(code=kwargs['order'])
if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():
raise Http404('Unknown order')
self.order = request.event.orders.get_with_secret_check(
code=kwargs['order'], received_secret=kwargs['hash'].lower(), tag='plugins:paypal2:pay'
)
except Order.DoesNotExist:
# Do a hash comparison as well to harden timing attacks
if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():
raise Http404('Unknown order')
else:
raise Http404('Unknown order')
raise Http404('Unknown order')
return super().dispatch(request, *args, **kwargs)
@cached_property

11
src/pretix/plugins/stripe/payment.py
View File

@@ -32,7 +32,6 @@
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
import hashlib
import json
import logging
import re
@@ -636,7 +635,7 @@ class StripeMethod(BasePaymentProvider):
'order': payment.order,
'payment': payment,
'payment_info': payment_info,
'payment_hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest()
'payment_hash': payment.order.tagged_secret('plugins:stripe')
}
return template.render(ctx)
@@ -890,7 +889,7 @@ class StripeMethod(BasePaymentProvider):
return_url=build_absolute_uri(self.event, 'plugins:stripe:sca.return', kwargs={
'order': payment.order.code,
'payment': payment.pk,
'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
'hash': payment.order.tagged_secret('plugins:stripe'),
}),
expand=['latest_charge'],
**params
@@ -988,7 +987,7 @@ class StripeMethod(BasePaymentProvider):
url = build_absolute_uri(self.event, 'plugins:stripe:sca', kwargs={
'order': payment.order.code,
'payment': payment.pk,
'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
'hash': payment.order.tagged_secret('plugins:stripe'),
})
if not self.redirect_in_widget_allowed and request.session.get('iframe_session', False):
return build_absolute_uri(self.event, 'plugins:stripe:redirect') + '?data=' + signing.dumps({
@@ -1009,7 +1008,7 @@ class StripeMethod(BasePaymentProvider):
return_url=build_absolute_uri(self.event, 'plugins:stripe:sca.return', kwargs={
'order': payment.order.code,
'payment': payment.pk,
'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
'hash': payment.order.tagged_secret('plugins:stripe'),
}),
expand=["latest_charge"],
**self.api_kwargs
@@ -1829,7 +1828,7 @@ class StripeMultibanco(StripeSourceMethod):
'return_url': build_absolute_uri(self.event, 'plugins:stripe:return', kwargs={
'order': payment.order.code,
'payment': payment.pk,
'hash': hashlib.sha1(payment.order.secret.lower().encode()).hexdigest(),
'hash': payment.order.tagged_secret('plugins:stripe'),
})
},
**self.api_kwargs

13
src/pretix/plugins/stripe/views.py
View File

@@ -32,7 +32,6 @@
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
import hashlib
import json
import logging
import urllib.parse
@@ -486,15 +485,11 @@ def oauth_disconnect(request, **kwargs):
class StripeOrderView:
def dispatch(self, request, *args, **kwargs):
try:
self.order = request.event.orders.get(code=kwargs['order'])
if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():
raise Http404('')
self.order = request.event.orders.get_with_secret_check(
code=kwargs['order'], received_secret=kwargs['hash'].lower(), tag='plugins:stripe'
)
except Order.DoesNotExist:
# Do a hash comparison as well to harden timing attacks
if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():
raise Http404('')
else:
raise Http404('')
raise Http404('Unknown order')
self.payment = get_object_or_404(
self.order.payments,
pk=self.kwargs['payment'],