CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-08 15:44:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make str.format_map with untrusted input safer (#2931)

Browse Source
This commit is contained in:
Raphael Michel
2022-12-08 13:49:07 +01:00
committed by GitHub
parent 11eecd739d
commit b64c5735a8
12 changed files with 89 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/pretix/base/services/mail.py
View File

@@ -76,6 +76,7 @@ from pretix.base.services.tasks import TransactionAwareTask
from pretix.base.services.tickets import get_tickets_for_order
from pretix.base.signals import email_filter, global_email_filter
from pretix.celery_app import app
from pretix.helpers.format import format_map
from pretix.helpers.hierarkey import clean_filename
from pretix.multidomain.urlreverse import build_absolute_uri
from pretix.presale.ical import get_private_icals
@@ -85,6 +86,7 @@ INVALID_ADDRESS = 'invalid-pretix-mail-address'
class TolerantDict(dict):
# kept for backwards compatibility with plugins
def __missing__(self, key):
return key
@@ -109,7 +111,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
:param template: The filename of a template to be used. It will be rendered with the locale given in the locale
argument and the context given in the next argument. Alternatively, you can pass a LazyI18nString and
``context`` will be used as the argument to a Python ``.format_map()`` call on the template.
``context`` will be used as the argument to a ``pretix.helpers.format.format_map(template, context)`` call on the template.
:param context: The context for rendering the template (see ``template`` parameter)
@@ -177,7 +179,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
})
renderer = ClassicMailRenderer(None, organizer)
content_plain = body_plain = render_mail(template, context)
subject = str(subject).format_map(TolerantDict(context))
subject = format_map(str(subject), context)
sender = (
sender or
(event.settings.get('mail_from') if event else None) or
@@ -608,7 +610,7 @@ def render_mail(template, context):
if isinstance(template, LazyI18nString):
body = str(template)
if context:
body = body.format_map(TolerantDict(context))
body = format_map(body, context)
else:
tpl = get_template(template)
body = tpl.render(context)