CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-03 14:54:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate async_id as celery returns any provided ID-value for unknown AsyncResults

Browse Source
This commit is contained in:
Richard Schreiber
2026-04-16 15:33:31 +02:00
parent 4beea63b49
commit 8f7cf77462
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/pretix/base/views/tasks.py
View File

@@ -20,6 +20,7 @@
# <https://www.gnu.org/licenses/>.
#
import logging
import re
from collections import defaultdict
from datetime import timedelta
from importlib import import_module
@@ -133,6 +134,8 @@ class AsyncMixin:
def get_result(self, request):
if not request.GET.get('async_id'):
raise BadRequest("No async_id given")
if not re.match(r"^[a-zA-Z0-9\-]+$", request.GET.get('async_id')):
raise BadRequest("Invalid async_id given")
res = AsyncResult(request.GET.get('async_id'))
if 'ajax' in self.request.GET:
return JsonResponse(self._return_ajax_result(res, timeout=0.25))