Improve URL parameter validation

2026-05-06 15:24:02 +00:00 · 2016-12-08 12:22:04 +01:00
parent 8cb977e4d6
commit d27fefe4da
3 changed files with 13 additions and 7 deletions
--- a/src/pretix/base/views/cachedfiles.py
+++ b/src/pretix/base/views/cachedfiles.py
@@ -1,6 +1,6 @@
 import os

-from django.http import FileResponse, HttpRequest, HttpResponse
+from django.http import FileResponse, Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django.views.generic import TemplateView
@@ -13,7 +13,10 @@ class DownloadView(TemplateView):

    @cached_property
    def object(self) -> CachedFile:
-        return get_object_or_404(CachedFile, id=self.kwargs['id'])
+        try:
+            return get_object_or_404(CachedFile, id=self.kwargs['id'])
+        except ValueError:   # Invalid URLs
+            raise Http404()

    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        if 'ajax' in request.GET:
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -100,10 +100,13 @@ class OrderView(EventPermissionRequiredMixin, DetailView):
    model = Order

    def get_object(self, queryset=None):
-        return Order.objects.get(
-            event=self.request.event,
-            code=self.kwargs['code'].upper()
-        )
+        try:
+            return Order.objects.get(
+                event=self.request.event,
+                code=self.kwargs['code'].upper()
+            )
+        except Order.DoesNotExist:
+            raise Http404()

    def _redirect_back(self):
        return redirect('control:event.order',
--- a/src/pretix/presale/urls.py
+++ b/src/pretix/presale/urls.py
@@ -48,7 +48,7 @@ event_patterns = [
    url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/download/(?P<position>[0-9]+)/(?P<output>[^/]+)$',
        pretix.presale.views.order.OrderDownload.as_view(),
        name='event.order.download'),
-    url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[^/]+)$',
+    url(r'^order/(?P<order>[^/]+)/(?P<secret>[A-Za-z0-9]+)/invoice/(?P<invoice>[0-9]+)$',
        pretix.presale.views.order.InvoiceDownload.as_view(),
        name='event.invoice.download'),
    url(r'^$', pretix.presale.views.event.EventIndex.as_view(), name='event.index'),