Prevent nullbytes in input data globally

[SECURITY] API: Add missing event filter for check-ins
Order import: handle mixed endings of last line (Z#23230806) (#6066 )
2026-04-11 21:22:29 +00:00 · 2026-04-09 09:47:29 +02:00 · 2026-04-08 13:57:55 +02:00 · 2026-04-08 13:25:38 +02:00
4 changed files with 42 additions and 1 deletions
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -1122,7 +1122,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
    permission = 'event.orders:read'

    def get_queryset(self):
-        qs = Checkin.all.filter().select_related(
+        qs = Checkin.all.filter(list__event=self.request.event).select_related(
            "position",
            "device",
        )
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -24,6 +24,7 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError

 from django.conf import settings
+from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -346,6 +347,15 @@ class SecurityMiddleware(MiddlewareMixin):

        return resp

+    def process_request(self, request):
+        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
+        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
+        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
+            raise BadRequest("Invalid characters in input.")
+        if request.method in ('POST', 'PUT', 'PATCH') and request.POST:
+            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
+                raise BadRequest("Invalid characters in input.")
+

 class CustomCommonMiddleware(CommonMiddleware):

--- a/src/pretix/base/modelimport.py
+++ b/src/pretix/base/modelimport.py
@@ -70,6 +70,10 @@ def parse_csv(file, length=None, mode="strict", charset=None):
        except ImportError:
            charset = file.charset
    data = data.decode(charset or "utf-8", mode)
+
+    # remove stray linebreaks from the end of the file
+    data = data.rstrip("\n")
+
    # If the file was modified on a Mac, it only contains \r as line breaks
    if '\r' in data and '\n' not in data:
        data = data.replace('\r', '\n')
--- a/src/tests/base/test_modelimport_orders.py
+++ b/src/tests/base/test_modelimport_orders.py
@@ -991,3 +991,30 @@ def test_import_mixed_order_size_consistency(user, event, item):
        ).get()
    assert ('Inconsistent data in row 2: Column Email address contains value "a2@example.com", but for this order, '
            'the value has already been set to "a1@example.com".') in str(excinfo.value)
+
+
+@pytest.mark.django_db
+@scopes_disabled()
+def test_import_line_endings_mix(event, item, user):
+    # Ensures import works with mixed file endings.
+    # See Ticket#23230806 where a file to import ends with \r\n
+    settings = dict(DEFAULT_SETTINGS)
+    settings['item'] = 'static:{}'.format(item.pk)
+
+    cf = inputfile_factory()
+    file = cf.file
+    file.seek(0)
+    data = file.read()
+    data = data.replace(b'\n', b'\r')
+    data = data.rstrip(b'\r\r')
+    data = data + b'\r\n'
+
+    print(data)
+    cf.file.save("input.csv", ContentFile(data))
+    cf.save()
+
+    import_orders.apply(
+        args=(event.pk, cf.id, settings, 'en', user.pk)
+    )
+    assert event.orders.count() == 3
+    assert OrderPosition.objects.count() == 3
Author	SHA1	Message	Date
Raphael Michel	8a88af3fca	Prevent nullbytes in input data globally	2026-04-09 09:47:29 +02:00
Raphael Michel	221cbd15ab	[SECURITY] API: Add missing event filter for check-ins	2026-04-08 13:57:55 +02:00
Lukas Bockstaller	5c7104634e	Order import: handle mixed endings of last line (Z#23230806) (#6066 ) * handle mixed line endings in import * formatting	2026-04-08 13:25:38 +02:00