Set max_length to 70 but for all name fields together and not only every single one.

src/pretix/api/views/checkin.py

@@ -1122,7 +1122,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     permission = 'event.orders:read'
 
     def get_queryset(self):
-        qs = Checkin.all.filter(list__event=self.request.event).select_related(
+        qs = Checkin.all.filter().select_related(
             "position",
             "device",
         )

src/pretix/base/forms/questions.py

@@ -90,7 +90,7 @@ from pretix.base.settings import (
     COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
     PERSON_NAME_SALUTATIONS, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS,
 )
-from pretix.base.templatetags.rich_text import rich_text
+from pretix.base.templatetags.rich_text import URL_RE, rich_text
 from pretix.base.timemachine import time_machine_now
 from pretix.control.forms import (
     ExtFileField, ExtValidationMixin, SizeValidationMixin, SplitDateTimeField,
@@ -227,9 +227,15 @@ class NamePartsFormField(forms.MultiValueField):
                     # bots.
                     r'^[^$€/%§{}<>~]*$',
                     message=_('Please do not use special characters in names.')
+                ),
+                RegexValidator(
+                    URL_RE,
+                    inverse_match=True,
+                    message=_('Please do not use special characters in names.')
                 )
             ]
         }
+        self.max_length = defaults['max_length']
         self.scheme_name = kwargs.pop('scheme')
         self.titles = kwargs.pop('titles')
         self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
@@ -287,7 +293,7 @@ class NamePartsFormField(forms.MultiValueField):
         if self.require_all_fields and not all(v for v in value):
             raise forms.ValidationError(self.error_messages['incomplete'], code='required')
 
-        if sum(len(v) for v in value.values() if v) > 250:
+        if sum(len(v) for v in value.values() if v) > (self.max_length or 250):
             raise forms.ValidationError(_('Please enter a shorter name.'), code='max_length')
 
         if value.get("salutation") == "empty":

src/pretix/base/middleware.py

@@ -24,7 +24,6 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
 
 from django.conf import settings
-from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -347,15 +346,6 @@ class SecurityMiddleware(MiddlewareMixin):
 
         return resp
 
-    def process_request(self, request):
-        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
-        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
-        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
-            raise BadRequest("Invalid characters in input.")
-        if request.method in ('POST', 'PUT', 'PATCH') and request.POST:
-            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
-                raise BadRequest("Invalid characters in input.")
-
 
 class CustomCommonMiddleware(CommonMiddleware):
 

src/pretix/base/modelimport.py

@@ -70,10 +70,6 @@ def parse_csv(file, length=None, mode="strict", charset=None):
         except ImportError:
             charset = file.charset
     data = data.decode(charset or "utf-8", mode)
-
-    # remove stray linebreaks from the end of the file
-    data = data.rstrip("\n")
-
     # If the file was modified on a Mac, it only contains \r as line breaks
     if '\r' in data and '\n' not in data:
         data = data.replace('\r', '\n')

src/pretix/presale/forms/customer.py

@@ -172,7 +172,7 @@ class RegistrationForm(forms.Form):
             )
 
         self.fields['name_parts'] = NamePartsFormField(
-            max_length=255,
+            max_length=70,
             required=True,
             scheme=request.organizer.settings.name_scheme,
             titles=request.organizer.settings.name_scheme_titles,

src/tests/base/test_modelimport_orders.py

@@ -991,30 +991,3 @@ def test_import_mixed_order_size_consistency(user, event, item):
         ).get()
     assert ('Inconsistent data in row 2: Column Email address contains value "a2@example.com", but for this order, '
             'the value has already been set to "a1@example.com".') in str(excinfo.value)
-
-
-@pytest.mark.django_db
-@scopes_disabled()
-def test_import_line_endings_mix(event, item, user):
-    # Ensures import works with mixed file endings.
-    # See Ticket#23230806 where a file to import ends with \r\n
-    settings = dict(DEFAULT_SETTINGS)
-    settings['item'] = 'static:{}'.format(item.pk)
-
-    cf = inputfile_factory()
-    file = cf.file
-    file.seek(0)
-    data = file.read()
-    data = data.replace(b'\n', b'\r')
-    data = data.rstrip(b'\r\r')
-    data = data + b'\r\n'
-
-    print(data)
-    cf.file.save("input.csv", ContentFile(data))
-    cf.save()
-
-    import_orders.apply(
-        args=(event.pk, cf.id, settings, 'en', user.pk)
-    )
-    assert event.orders.count() == 3
-    assert OrderPosition.objects.count() == 3