CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-08 15:44:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Don't use Django's redirect() for user-supplied paths

Browse Source
This commit is contained in:
Raphael Michel
2022-11-17 11:46:03 +01:00
parent f18fb02d0b
commit 7b58ddbfde
5 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/pretix/presale/views/cart.py
View File

@@ -63,6 +63,7 @@ from pretix.base.services.cart import (
remove_cart_position,
)
from pretix.base.views.tasks import AsyncAction
from pretix.helpers.http import redirect_to_url
from pretix.multidomain.urlreverse import eventreverse
from pretix.presale.views import (
CartMixin, EventViewMixin, allow_cors_if_namespaced,
@@ -652,7 +653,7 @@ class RedeemView(NoSearchIndexViewMixin, EventViewMixin, CartMixin, TemplateView
if err:
messages.error(request, _(err))
return redirect(self.get_next_url() + "?voucher_invalid")
return redirect_to_url(self.get_next_url() + "?voucher_invalid")
return super().dispatch(request, *args, **kwargs)

5
src/pretix/presale/views/customer.py
View File

@@ -50,6 +50,7 @@ from pretix.base.customersso.oidc import (
from pretix.base.models import Customer, InvoiceAddress, Order, OrderPosition
from pretix.base.services.mail import mail
from pretix.base.settings import PERSON_NAME_SCHEMES
from pretix.helpers.http import redirect_to_url
from pretix.multidomain.models import KnownDomain
from pretix.multidomain.urlreverse import build_absolute_uri, eventreverse
from pretix.presale.forms.customer import (
@@ -620,7 +621,7 @@ class SSOLoginView(RedirectBackMixin, View):
})
if self.provider.method == "oidc":
return redirect(oidc_authorize_url(self.provider, f'{nonce}§{next_url}', redirect_uri))
return redirect_to_url(oidc_authorize_url(self.provider, f'{nonce}§{next_url}', redirect_uri))
else:
raise Http404("Unknown SSO method.")
@@ -814,7 +815,7 @@ class SSOLoginReturnView(RedirectBackMixin, View):
})
else:
customer_login(self.request, customer)
return redirect(self.get_success_url(redirect_to))
return redirect_to_url(self.get_success_url(redirect_to))
def _fail(self, message, popup_origin):
if not popup_origin: