CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-07 15:34:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate id for async tasks

Browse Source
This commit is contained in:
Richard Schreiber
2026-04-28 08:56:32 +02:00
committed by GitHub
parent 8426a68760
commit 1c7ce4b1ca
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pretix/base/views/tasks.py
View File

@@ -20,6 +20,7 @@
# <https://www.gnu.org/licenses/>. # <https://www.gnu.org/licenses/>.
# #
import logging import logging
import re
from collections import defaultdict from collections import defaultdict
from datetime import timedelta from datetime import timedelta
from importlib import import_module from importlib import import_module
@@ -52,6 +53,7 @@ from pretix.celery_app import app
from pretix.helpers.http import redirect_to_url from pretix.helpers.http import redirect_to_url
logger = logging.getLogger('pretix.base.tasks') logger = logging.getLogger('pretix.base.tasks')
RE_ASYNC_ID = re.compile(r"^[a-zA-Z0-9\-]+$")
class AsyncMixin: class AsyncMixin:
@@ -133,6 +135,8 @@ class AsyncMixin:
def get_result(self, request): def get_result(self, request):
if not request.GET.get('async_id'): if not request.GET.get('async_id'):
raise BadRequest("No async_id given") raise BadRequest("No async_id given")
if not RE_ASYNC_ID.match(request.GET.get('async_id')):
raise BadRequest("Invalid async_id given")
res = AsyncResult(request.GET.get('async_id')) res = AsyncResult(request.GET.get('async_id'))
if 'ajax' in self.request.GET: if 'ajax' in self.request.GET:
return JsonResponse(self._return_ajax_result(res, timeout=0.25)) return JsonResponse(self._return_ajax_result(res, timeout=0.25))