Orders API: Fix race condition in voucher redemption (Z#23230391)

The old code relied on the `Voucher.redeemed` value obtained *before*
the lock was taken, not afterwards.

The change in services/orders.py is functionally pointless, but it makes
the pattern of "fill availability only after lock" clearer and might
avoid introducing similar bugs in the future.

src/pretix/api/serializers/order.py

@@ -1412,6 +1412,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         qa = QuotaAvailability()
         qa.queue(*[q for q, d in quota_diff_for_locking.items() if d > 0])
         qa.compute()
+        v_avail = {}
 
         # These are not technically correct as diff use due to the time offset applied above, so let's prevent accidental
         # use further down
@@ -1441,11 +1442,13 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
 
                 voucher_usage[v] += 1
                 if voucher_usage[v] > 0:
-                    redeemed_in_carts = CartPosition.objects.filter(
-                        Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
-                    ).exclude(pk__in=[cp.pk for cp in delete_cps])
-                    v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
-                    if v_avail < voucher_usage[v]:
+                    if v not in v_avail:
+                        v.refresh_from_db(fields=['redeemed'])
+                        redeemed_in_carts = CartPosition.objects.filter(
+                            Q(voucher=v) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
+                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
+                        v_avail[v] = v.max_usages - v.redeemed - redeemed_in_carts.count()
+                    if v_avail[v] < voucher_usage[v]:
                         errs[i]['voucher'] = [
                             'The voucher has already been used the maximum number of times.'
                         ]

src/pretix/base/middleware.py

@@ -24,7 +24,6 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
 
 from django.conf import settings
-from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -347,15 +346,6 @@ class SecurityMiddleware(MiddlewareMixin):
 
         return resp
 
-    def process_request(self, request):
-        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
-        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
-        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
-            raise BadRequest("Invalid characters in input.")
-        if request.method in ('POST', 'PUT', 'PATCH') and request.POST:
-            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
-                raise BadRequest("Invalid characters in input.")
-
 
 class CustomCommonMiddleware(CommonMiddleware):
 

src/pretix/base/services/orders.py

@@ -727,8 +727,6 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
     _check_date(event, time_machine_now_dt)
 
     products_seen = Counter()
-    q_avail = Counter()
-    v_avail = Counter()
     v_usages = Counter()
     v_budget = {}
     deleted_positions = set()
@@ -793,6 +791,9 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
                 shared_lock_objects=[event]
             )
 
+    q_avail = Counter()
+    v_avail = Counter()
+
     # Check maximum order size
     limit = min(int(event.settings.max_items_per_order), settings.PRETIX_MAX_ORDER_SIZE)
     if sum(1 for cp in sorted_positions if not cp.addon_to) > limit: