Voucher redemption: Raise 404 error if subevent_pk is not an integer (#2590)

Co-authored-by: Raphael Michel <michel@rami.io>
2026-05-05 15:14:04 +00:00 · 2022-04-12 11:12:06 +02:00
parent 3e8e454e92
commit d19cb14dc1
1 changed files with 6 additions and 3 deletions
--- a/src/pretix/presale/views/cart.py
+++ b/src/pretix/presale/views/cart.py
@@ -50,7 +50,7 @@ from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.http import is_safe_url, url_has_allowed_host_and_scheme
 from django.utils.timezone import now
-from django.utils.translation import gettext as _
+from django.utils.translation import gettext as _, pgettext
 from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.generic import TemplateView, View
 from django_scopes import scopes_disabled
@@ -630,8 +630,11 @@ class RedeemView(NoSearchIndexViewMixin, EventViewMixin, CartMixin, TemplateView
        self.subevent = None
        if request.event.has_subevents:
            if request.GET.get('subevent'):
-                self.subevent = get_object_or_404(SubEvent, event=request.event, pk=request.GET.get('subevent'),
-                                                  active=True)
+                try:
+                    subevent_pk = int(request.GET.get('subevent'))
+                    self.subevent = request.event.subevents.get(pk=subevent_pk, active=True)
+                except (ValueError, SubEvent.DoesNotExist):
+                    raise Http404(pgettext('subevent', 'We were unable to find the specified date.'))  

            if hasattr(self, 'voucher') and self.voucher.subevent:
                self.subevent = self.voucher.subevent