From fd47e2de2949e07268f724a6dadd5c0bcc6ff3f2 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Wed, 25 Apr 2018 08:50:15 +0200 Subject: [PATCH] Add more entropy to cart IDs and bind them to session IDs --- src/pretix/presale/views/cart.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/pretix/presale/views/cart.py b/src/pretix/presale/views/cart.py index 97bc37a941..8812c4d96f 100644 --- a/src/pretix/presale/views/cart.py +++ b/src/pretix/presale/views/cart.py @@ -144,12 +144,16 @@ class CartActionMixin: return items -def generate_cart_id(prefix=''): +def generate_cart_id(request=None, prefix=''): """ Generates a random new cart ID that is not currently in use, with an optional pretix. """ while True: - new_id = prefix + get_random_string(length=32 - len(prefix)) + new_id = prefix + get_random_string(length=48 - len(prefix)) + if request: + if not request.session.session_key: + request.session.create() + new_id += "@" + request.session.session_key if not CartPosition.objects.filter(cart_id=new_id).exists(): return new_id @@ -172,7 +176,7 @@ def create_empty_cart_id(request, replace_current=True): if 'carts' not in request.session: request.session['carts'] = {} - new_id = generate_cart_id(prefix=prefix) + new_id = generate_cart_id(request, prefix=prefix) request.session['carts'][new_id] = {} if replace_current: @@ -258,7 +262,7 @@ def get_or_create_cart_id(request, create=True): else: if not create: return None - new_id = generate_cart_id(prefix=prefix) + new_id = generate_cart_id(request, prefix=prefix) # Migrate legacy data # TODO: This is for the upgrade 1.7→1.8. We should remove this around April 2018