From be413693ce1afa612f32892f05ebdb102dd04486 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 4 Jan 2021 10:34:47 +0100
Subject: [PATCH] Validate range of geo_lat/geo_lon values

---
 src/pretix/base/models/event.py              | 22 ++++++++++++++++++--
 src/pretix/control/forms/event.py            |  6 +++++-
 src/pretix/control/forms/subevents.py        |  2 ++
 src/pretix/static/pretixcontrol/js/ui/geo.js |  8 ++++++-
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/src/pretix/base/models/event.py b/src/pretix/base/models/event.py
index 08074ef762..2696c89200 100644
--- a/src/pretix/base/models/event.py
+++ b/src/pretix/base/models/event.py
@@ -10,7 +10,9 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
 from django.core.mail import get_connection
-from django.core.validators import RegexValidator
+from django.core.validators import (
+    MaxValueValidator, MinValueValidator, RegexValidator,
+)
 from django.db import models
 from django.db.models import Exists, OuterRef, Prefetch, Q, Subquery, Value
 from django.template.defaultfilters import date as _date
@@ -393,10 +395,18 @@ class Event(EventMixin, LoggedModel):
     geo_lat = models.FloatField(
         verbose_name=_("Latitude"),
         null=True, blank=True,
+        validators=[
+            MinValueValidator(-90),
+            MaxValueValidator(90),
+        ]
     )
     geo_lon = models.FloatField(
         verbose_name=_("Longitude"),
         null=True, blank=True,
+        validators=[
+            MinValueValidator(-180),
+            MaxValueValidator(180),
+        ]
     )
     plugins = models.TextField(
         null=False, blank=True,
@@ -1121,10 +1131,18 @@ class SubEvent(EventMixin, LoggedModel):
     geo_lat = models.FloatField(
         verbose_name=_("Latitude"),
         null=True, blank=True,
+        validators=[
+            MinValueValidator(-90),
+            MaxValueValidator(90),
+        ]
     )
     geo_lon = models.FloatField(
         verbose_name=_("Longitude"),
-        null=True, blank=True
+        null=True, blank=True,
+        validators=[
+            MinValueValidator(-180),
+            MaxValueValidator(180),
+        ]
     )
     frontpage_text = I18nTextField(
         null=True, blank=True,
diff --git a/src/pretix/control/forms/event.py b/src/pretix/control/forms/event.py
index 9506a94546..b6b22e6cc4 100644
--- a/src/pretix/control/forms/event.py
+++ b/src/pretix/control/forms/event.py
@@ -134,6 +134,8 @@ class EventWizardBasicsForm(I18nModelForm):
             'presale_start': SplitDateTimePickerWidget(),
             'presale_end': SplitDateTimePickerWidget(attrs={'data-date-after': '#id_basics-presale_start_0'}),
             'slug': SlugWidget,
+            'geo_lat': forms.NumberInput(attrs={'min': '-90', 'max': '90'}),
+            'geo_lon': forms.NumberInput(attrs={'min': '-180', 'max': '180'}),
         }
 
     def __init__(self, *args, **kwargs):
@@ -392,7 +394,9 @@ class EventUpdateForm(I18nModelForm):
             'date_admission': SplitDateTimePickerWidget(attrs={'data-date-default': '#id_date_from_0'}),
             'presale_start': SplitDateTimePickerWidget(),
             'presale_end': SplitDateTimePickerWidget(attrs={'data-date-after': '#id_presale_start_0'}),
-            'sales_channels': CheckboxSelectMultiple()
+            'sales_channels': CheckboxSelectMultiple(),
+            'geo_lat': forms.NumberInput(attrs={'min': '-90', 'max': '90'}),
+            'geo_lon': forms.NumberInput(attrs={'min': '-180', 'max': '180'}),
         }
 
 
diff --git a/src/pretix/control/forms/subevents.py b/src/pretix/control/forms/subevents.py
index db5afb264d..33d00665e0 100644
--- a/src/pretix/control/forms/subevents.py
+++ b/src/pretix/control/forms/subevents.py
@@ -55,6 +55,8 @@ class SubEventForm(I18nModelForm):
             'date_admission': SplitDateTimePickerWidget(attrs={'data-date-after': '#id_date_from_0'}),
             'presale_start': SplitDateTimePickerWidget(),
             'presale_end': SplitDateTimePickerWidget(attrs={'data-date-after': '#id_presale_start_0'}),
+            'geo_lat': forms.NumberInput(attrs={'min': '-90', 'max': '90'}),
+            'geo_lon': forms.NumberInput(attrs={'min': '-180', 'max': '180'}),
         }
 
 
diff --git a/src/pretix/static/pretixcontrol/js/ui/geo.js b/src/pretix/static/pretixcontrol/js/ui/geo.js
index 49f9d31d45..ab00704739 100644
--- a/src/pretix/static/pretixcontrol/js/ui/geo.js
+++ b/src/pretix/static/pretixcontrol/js/ui/geo.js
@@ -68,7 +68,13 @@ $(function () {
 
       function getpoint() {
         if ($lat.val() !== "" && $lon.val() !== "") {
-          return [parseFloat($lat.val().replace(",", ".")), parseFloat($lon.val().replace(",", "."))];
+          var p = [parseFloat($lat.val().replace(",", ".")), parseFloat($lon.val().replace(",", "."))];
+          // Clip to valid ranges. Very invalid lon/lat values can even lead to browser crashes in leaflet apparently
+          if (p[0] < -90) p[0] = -90
+          if (p[0] > 90) p[0] = 90
+          if (p[1] < -180) p[1] = -180
+          if (p[1] > 180) p[1] = 180
+          return p
         } else {
           return [0.0, 0.0];
         }