From 8f7cf77462682ce7ea5315f6be8a9df52aae6e7e Mon Sep 17 00:00:00 2001
From: Richard Schreiber <schreiber@rami.io>
Date: Thu, 16 Apr 2026 15:33:31 +0200
Subject: [PATCH] Validate async_id as celery returns any provided ID-value for
 unknown AsyncResults

---
 src/pretix/base/views/tasks.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/pretix/base/views/tasks.py b/src/pretix/base/views/tasks.py
index e763d7fba3..f60d261b9d 100644
--- a/src/pretix/base/views/tasks.py
+++ b/src/pretix/base/views/tasks.py
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import logging
+import re
 from collections import defaultdict
 from datetime import timedelta
 from importlib import import_module
@@ -133,6 +134,8 @@ class AsyncMixin:
     def get_result(self, request):
         if not request.GET.get('async_id'):
             raise BadRequest("No async_id given")
+        if not re.match(r"^[a-zA-Z0-9\-]+$", request.GET.get('async_id')):
+            raise BadRequest("Invalid async_id given")
         res = AsyncResult(request.GET.get('async_id'))
         if 'ajax' in self.request.GET:
             return JsonResponse(self._return_ajax_result(res, timeout=0.25))