Add location tests

* Display invoice and tickets inline in browser (Z#23225892)

* Use FileResponse filename for AnswerDownload

* Use inline for PDF-view in pretix-control editor

* use as_attachment for API FileResponses

* do not ignore csp even for disposition=inline

* use as_attachment for file responses in control

* remove unused code

* improve code style

* Invoice preview inline

* do not force download on tickets in backend

* do not force download on AnswerDownload

* imrpove code style

* improve code style

* fix missing int str conversion

* Apply suggestions from code review

Co-authored-by: luelista <mira@teamwiki.de>

---------

Co-authored-by: luelista <mira@teamwiki.de>

doc/api/resources/item_program_times.rst

@@ -16,6 +16,7 @@ Field                                 Type                       Description
 id                                    integer                    Internal ID of the program time
 start                                 datetime                   The start date time for this program time slot.
 end                                   datetime                   The end date time for this program time slot.
+location                              multi-lingual string       The program time slot's location (or ``null``)
 ===================================== ========================== =======================================================
 
 .. versionchanged:: TODO
@@ -54,17 +55,20 @@ Endpoints
             {
                "id": 2,
                "start": "2025-08-14T22:00:00Z",
-               "end": "2025-08-15T00:00:00Z"
+               "end": "2025-08-15T00:00:00Z",
+               "location": null
             },
             {
                "id": 3,
                "start": "2025-08-12T22:00:00Z",
-               "end": "2025-08-13T22:00:00Z"
+               "end": "2025-08-13T22:00:00Z",
+               "location": null
             },
             {
                "id": 14,
                "start": "2025-08-15T22:00:00Z",
-               "end": "2025-08-17T22:00:00Z"
+               "end": "2025-08-17T22:00:00Z",
+               "location": null
             }
         ]
       }
@@ -99,7 +103,8 @@ Endpoints
       {
          "id": 1,
          "start": "2025-08-15T22:00:00Z",
-         "end": "2025-10-27T23:00:00Z"
+         "end": "2025-10-27T23:00:00Z",
+         "location": null
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -125,7 +130,8 @@ Endpoints
 
       {
         "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
       }
 
    **Example response**:
@@ -139,7 +145,8 @@ Endpoints
       {
         "id": 17,
         "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
       }
 
    :param organizer: The ``slug`` field of the organizer of the event/item to create a program time for

src/pretix/api/serializers/item.py

@@ -191,7 +191,7 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
 class InlineItemProgramTimeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemProgramTime
-        fields = ('start', 'end')
+        fields = ('start', 'end', 'location')
 
 
 class ItemBundleSerializer(serializers.ModelSerializer):
@@ -222,7 +222,7 @@ class ItemBundleSerializer(serializers.ModelSerializer):
 class ItemProgramTimeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemProgramTime
-        fields = ('id', 'start', 'end')
+        fields = ('id', 'start', 'end', 'location')
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/order.py

@@ -769,7 +769,11 @@ class PaymentDetailsField(serializers.Field):
         pp = value.payment_provider
         if not pp:
             return {}
-        return pp.api_payment_details(value)
+        try:
+            return pp.api_payment_details(value)
+        except Exception:
+            logger.exception("Failed to retrieve payment_details")
+            return {}
 
 
 class OrderPaymentSerializer(I18nAwareModelSerializer):
@@ -1412,7 +1416,6 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         qa = QuotaAvailability()
         qa.queue(*[q for q, d in quota_diff_for_locking.items() if d > 0])
         qa.compute()
-        v_avail = {}
 
         # These are not technically correct as diff use due to the time offset applied above, so let's prevent accidental
         # use further down
@@ -1442,13 +1445,11 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
 
                 voucher_usage[v] += 1
                 if voucher_usage[v] > 0:
-                    if v not in v_avail:
-                        v.refresh_from_db(fields=['redeemed'])
-                        redeemed_in_carts = CartPosition.objects.filter(
-                            Q(voucher=v) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
-                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
-                        v_avail[v] = v.max_usages - v.redeemed - redeemed_in_carts.count()
-                    if v_avail[v] < voucher_usage[v]:
+                    redeemed_in_carts = CartPosition.objects.filter(
+                        Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
+                    ).exclude(pk__in=[cp.pk for cp in delete_cps])
+                    v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
+                    if v_avail < voucher_usage[v]:
                         errs[i]['voucher'] = [
                             'The voucher has already been used the maximum number of times.'
                         ]

src/pretix/api/views/order.py

@@ -381,12 +381,15 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), order.code,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), order.code,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def mark_paid(self, request, **kwargs):
@@ -1303,14 +1306,17 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
             raise NotFound()
 
         ftype, ignored = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            os.path.basename(answer.file.name).split('.', 1)[1]
+        return FileResponse(
+            answer.file,
+            filename='{}-{}-{}-{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                os.path.basename(answer.file.name).split('.', 1)[1]
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name="printlog", url_path="printlog", methods=["POST"])
     def printlog(self, request, **kwargs):
@@ -1365,15 +1371,18 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
             if hasattr(image_file, 'seek'):
                 image_file.seek(0)
 
-        resp = FileResponse(image_file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}.{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            key,
-            extension,
+        return FileResponse(
+            image_file,
+            filename='{}-{}-{}-{}.{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                key,
+                extension,
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
     def download(self, request, output, **kwargs):
@@ -1399,12 +1408,15 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), pos.order.code, pos.positionid,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), pos.order.code, pos.positionid,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def regenerate_secrets(self, request, **kwargs):
@@ -1986,9 +1998,12 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
         if not invoice.file:
             raise RetryException()
 
-        resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
-        return resp
+        return FileResponse(
+            invoice.file.file,
+            filename='{}.pdf'.format(invoice.number),
+            as_attachment=True,
+            content_type='application/pdf'
+        )
 
     @action(detail=True, methods=['POST'])
     def transmit(self, request, **kwargs):

src/pretix/base/email.py

@@ -19,7 +19,10 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import ipaddress
 import logging
+import smtplib
+import socket
 from itertools import groupby
 from smtplib import SMTPResponseException
 from typing import TypeVar
@@ -237,3 +240,80 @@ def base_renderers(sender, **kwargs):
 
 def get_email_context(**kwargs):
     return PlaceholderContext(**kwargs).render_all()
+
+
+def create_connection(address, timeout=socket.getdefaulttimeout(),
+                      source_address=None, *, all_errors=False):
+    # Taken from the python stdlib, extended with a check for local ips
+
+    host, port = address
+    exceptions = []
+    for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
+        af, socktype, proto, canonname, sa = res
+
+        if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
+            ip_addr = ipaddress.ip_address(sa[0])
+            if ip_addr.is_multicast:
+                raise socket.error(f"Request to multicast address {sa[0]} blocked")
+            if ip_addr.is_loopback or ip_addr.is_link_local:
+                raise socket.error(f"Request to local address {sa[0]} blocked")
+            if ip_addr.is_private:
+                raise socket.error(f"Request to private address {sa[0]} blocked")
+
+        sock = None
+        try:
+            sock = socket.socket(af, socktype, proto)
+            if timeout is not socket.getdefaulttimeout():
+                sock.settimeout(timeout)
+            if source_address:
+                sock.bind(source_address)
+            sock.connect(sa)
+            # Break explicitly a reference cycle
+            exceptions.clear()
+            return sock
+
+        except socket.error as exc:
+            if not all_errors:
+                exceptions.clear()  # raise only the last error
+            exceptions.append(exc)
+            if sock is not None:
+                sock.close()
+
+    if len(exceptions):
+        try:
+            if not all_errors:
+                raise exceptions[0]
+            raise ExceptionGroup("create_connection failed", exceptions)
+        finally:
+            # Break explicitly a reference cycle
+            exceptions.clear()
+    else:
+        raise socket.error("getaddrinfo returns an empty list")
+
+
+class CheckPrivateNetworkMixin:
+    # _get_socket taken 1:1 from smtplib, just with a call to our own create_connection
+    def _get_socket(self, host, port, timeout):
+        # This makes it simpler for SMTP_SSL to use the SMTP connect code
+        # and just alter the socket connection bit.
+        if timeout is not None and not timeout:
+            raise ValueError('Non-blocking socket (timeout=0) is not supported')
+        if self.debuglevel > 0:
+            self._print_debug('connect: to', (host, port), self.source_address)
+        return create_connection((host, port), timeout, self.source_address)
+
+
+class SMTP(CheckPrivateNetworkMixin, smtplib.SMTP):
+    pass
+
+
+# SMTP used here instead of mixin, because smtp.SMTP_SSL._get_socket calls super()._get_socket and then wraps this socket
+# super()._get_socket needs to be our version from the mixin
+class SMTP_SSL(smtplib.SMTP_SSL, SMTP):  # noqa: N801
+    pass
+
+
+class CheckPrivateNetworkSmtpBackend(EmailBackend):
+    @property
+    def connection_class(self):
+        return SMTP_SSL if self.use_ssl else SMTP

src/pretix/base/migrations/0299_itemprogramtime_location.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.27 on 2026-01-21 12:06
+
+from django.db import migrations, models
+import i18nfield.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0298_pluggable_permissions"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="itemprogramtime",
+            name="location",
+            field=i18nfield.fields.I18nTextField(max_length=200, null=True),
+        )
+    ]

src/pretix/base/models/items.py

@@ -2306,10 +2306,17 @@ class ItemProgramTime(models.Model):
     :type start: datetime
     :param end: The date and time this program time ends
     :type end: datetime
+    :param location: venue
+    :type location: str
     """
     item = models.ForeignKey('Item', related_name='program_times', on_delete=models.CASCADE)
     start = models.DateTimeField(verbose_name=_("Start"))
     end = models.DateTimeField(verbose_name=_("End"))
+    location = I18nTextField(
+        null=True, blank=True,
+        max_length=200,
+        verbose_name=_("Location"),
+    )
 
     def clean(self):
         if hasattr(self, 'item') and self.item and self.item.event.has_subevents:

src/pretix/base/services/invoices.py

@@ -58,6 +58,7 @@ from pretix.base.invoicing.transmission import (
 from pretix.base.models import (
     ExchangeRate, Invoice, InvoiceAddress, InvoiceLine, Order, OrderFee,
 )
+from pretix.base.models.orders import OrderPayment
 from pretix.base.models.tax import EU_CURRENCIES
 from pretix.base.services.tasks import (
     TransactionAwareProfiledEventTask, TransactionAwareTask,
@@ -102,7 +103,7 @@ def build_invoice(invoice: Invoice) -> Invoice:
         introductory = invoice.event.settings.get('invoice_introductory_text', as_type=LazyI18nString)
         additional = invoice.event.settings.get('invoice_additional_text', as_type=LazyI18nString)
         footer = invoice.event.settings.get('invoice_footer_text', as_type=LazyI18nString)
-        if lp and lp.payment_provider:
+        if lp and lp.payment_provider and lp.state not in (OrderPayment.PAYMENT_STATE_FAILED, OrderPayment.PAYMENT_STATE_CANCELED):
             if 'payment' in inspect.signature(lp.payment_provider.render_invoice_text).parameters:
                 payment = str(lp.payment_provider.render_invoice_text(invoice.order, lp))
             else:

src/pretix/base/services/orders.py

@@ -727,6 +727,8 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
     _check_date(event, time_machine_now_dt)
 
     products_seen = Counter()
+    q_avail = Counter()
+    v_avail = Counter()
     v_usages = Counter()
     v_budget = {}
     deleted_positions = set()
@@ -791,9 +793,6 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
                 shared_lock_objects=[event]
             )
 
-    q_avail = Counter()
-    v_avail = Counter()
-
     # Check maximum order size
     limit = min(int(event.settings.max_items_per_order), settings.PRETIX_MAX_ORDER_SIZE)
     if sum(1 for cp in sorted_positions if not cp.addon_to) > limit:

src/pretix/control/forms/item.py

@@ -1354,6 +1354,10 @@ class ItemProgramTimeForm(I18nModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['end'].widget.attrs['data-date-after'] = '#id_{prefix}-start_0'.format(prefix=self.prefix)
+        self.fields['location'].widget.attrs['rows'] = '1'
+        self.fields['location'].widget.attrs['placeholder'] = _(
+            'Sample Conference Center, Heidelberg, Germany'
+        )
 
     class Meta:
         model = ItemProgramTime
@@ -1361,6 +1365,7 @@ class ItemProgramTimeForm(I18nModelForm):
         fields = [
             'start',
             'end',
+            'location'
         ]
         field_classes = {
             'start': forms.SplitDateTimeField,

src/pretix/control/templates/pretixcontrol/item/include_program_times.html

@@ -34,6 +34,7 @@
                     {% bootstrap_form_errors form %}
                     {% bootstrap_field form.start layout="control" %}
                     {% bootstrap_field form.end layout="control" %}
+                    {% bootstrap_field form.location layout="control" %}
                 </div>
             </div>
         {% endfor %}
@@ -59,6 +60,7 @@
                 <div class="panel-body form-horizontal">
                     {% bootstrap_field formset.empty_form.start layout="control" %}
                     {% bootstrap_field formset.empty_form.end layout="control" %}
+                    {% bootstrap_field formset.empty_form.location layout="control" %}
                 </div>
             </div>
         {% endescapescript %}

src/pretix/control/views/event.py

@@ -763,12 +763,7 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
     def get(self, request, *args, **kwargs):
         fname, ftype, fcontent = build_preview_invoice_pdf(request.event)
         resp = HttpResponse(fcontent, content_type=ftype)
-        if settings.DEBUG:
-            # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
-            resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
-            resp._csp_ignore = True
-        else:
-            resp['Content-Disposition'] = 'attachment; filename="{}"'.format(fname)
+        resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
         return resp
 
 

src/pretix/control/views/global_settings.py

@@ -300,5 +300,4 @@ class SysReportView(AdministratorPermissionRequiredMixin, TemplateView):
             resp = HttpResponse(data)
             resp['Content-Type'] = mime
             resp['Content-Disposition'] = 'inline; filename="{}"'.format(name)
-            resp._csp_ignore = True
             return resp

src/pretix/control/views/orders.py

@@ -710,22 +710,26 @@ class OrderDownload(AsyncAction, OrderView):
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                    self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename='{}-{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                        self.output.identifier, value.extension
+                    ),
+                    content_type=value.type
                 )
-                return resp
         elif isinstance(value, CachedCombinedTicket):
             if value.type == 'text/uri-list':
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename='{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                    ),
+                    content_type=value.type
                 )
-                return resp
         else:
             return redirect(self.get_self_url())
 
@@ -1831,15 +1835,15 @@ class InvoiceDownload(EventPermissionRequiredMixin, View):
             return redirect(self.get_order_url())
 
         try:
-            resp = FileResponse(self.invoice.file.file, content_type='application/pdf')
+            return FileResponse(
+                self.invoice.file.file,
+                filename='{}.pdf'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number)),
+                content_type='application/pdf'
+            )
         except FileNotFoundError:
             invoice_pdf_task.apply(args=(self.invoice.pk,))
             return self.get(request, *args, **kwargs)
 
-        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number))
-        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
-        return resp
-
 
 class OrderExtend(OrderView):
     permission = 'event.orders:write'

src/pretix/control/views/pdf.py

@@ -263,12 +263,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
 
             resp = HttpResponse(data, content_type=mimet)
             ftype = fname.split(".")[-1]
-            if settings.DEBUG:
-                # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
-                resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
-                resp._csp_ignore = True
-            else:
-                resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
+            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
             return resp
         elif "data" in request.POST:
             if cf:
@@ -309,6 +304,5 @@ class FontsCSSView(TemplateView):
 class PdfView(TemplateView):
     def get(self, request, *args, **kwargs):
         cf = get_object_or_404(CachedFile, id=kwargs.get("filename"), filename="background_preview.pdf")
-        resp = FileResponse(cf.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename)
+        resp = FileResponse(cf.file, filename=cf.filename, content_type='application/pdf')
         return resp

src/pretix/helpers/monkeypatching.py

@@ -19,12 +19,26 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import ipaddress
+import socket
+import sys
 import types
 from datetime import datetime
 from http import cookies
 
+from django.conf import settings
 from PIL import Image
 from requests.adapters import HTTPAdapter
+from urllib3.connection import HTTPConnection, HTTPSConnection
+from urllib3.connectionpool import HTTPConnectionPool, HTTPSConnectionPool
+from urllib3.exceptions import (
+    ConnectTimeoutError, HTTPError, LocationParseError, NameResolutionError,
+    NewConnectionError,
+)
+from urllib3.util.connection import (
+    _TYPE_SOCKET_OPTIONS, _set_socket_options, allowed_gai_family,
+)
+from urllib3.util.timeout import _DEFAULT_TIMEOUT
 
 
 def monkeypatch_vobject_performance():
@@ -89,6 +103,123 @@ def monkeypatch_requests_timeout():
     HTTPAdapter.send = httpadapter_send
 
 
+def monkeypatch_urllib3_ssrf_protection():
+    """
+    pretix allows HTTP requests to untrusted URLs, e.g. through webhooks or external API URLs. This is dangerous since
+    it can allow access to private networks that should not be reachable by users ("server-side request forgery", SSRF).
+    Validating URLs at submission is not sufficient, since with DNS rebinding an attacker can make a domain name pass
+    validation and then resolve to a private IP address on actual execution. Unfortunately, there seems no clean solution
+    to this in Python land, so we monkeypatch urllib3's connection management to check the IP address to be external
+    *after* the DNS resolution.
+
+    This does not work when a global http(s) proxy is used, but in that scenario the proxy can perform the validation.
+    """
+    if getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
+        # Settings are not supposed to change during runtime, so we can optimize performance and complexity by skipping
+        # this if not needed.
+        return
+
+    def create_connection(
+        address: tuple[str, int],
+        timeout=_DEFAULT_TIMEOUT,
+        source_address: tuple[str, int] | None = None,
+        socket_options: _TYPE_SOCKET_OPTIONS | None = None,
+    ) -> socket.socket:
+        # This is copied from urllib3.util.connection v2.3.0
+        host, port = address
+        if host.startswith("["):
+            host = host.strip("[]")
+        err = None
+
+        # Using the value from allowed_gai_family() in the context of getaddrinfo lets
+        # us select whether to work with IPv4 DNS records, IPv6 records, or both.
+        # The original create_connection function always returns all records.
+        family = allowed_gai_family()
+
+        try:
+            host.encode("idna")
+        except UnicodeError:
+            raise LocationParseError(f"'{host}', label empty or too long") from None
+
+        for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
+            af, socktype, proto, canonname, sa = res
+
+            if not getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
+                ip_addr = ipaddress.ip_address(sa[0])
+                if ip_addr.is_multicast:
+                    raise HTTPError(f"Request to multicast address {sa[0]} blocked")
+                if ip_addr.is_loopback or ip_addr.is_link_local:
+                    raise HTTPError(f"Request to local address {sa[0]} blocked")
+                if ip_addr.is_private:
+                    raise HTTPError(f"Request to private address {sa[0]} blocked")
+
+            sock = None
+            try:
+                sock = socket.socket(af, socktype, proto)
+
+                # If provided, set socket level options before connecting.
+                _set_socket_options(sock, socket_options)
+
+                if timeout is not _DEFAULT_TIMEOUT:
+                    sock.settimeout(timeout)
+                if source_address:
+                    sock.bind(source_address)
+                sock.connect(sa)
+                # Break explicitly a reference cycle
+                err = None
+                return sock
+
+            except OSError as _:
+                err = _
+                if sock is not None:
+                    sock.close()
+
+        if err is not None:
+            try:
+                raise err
+            finally:
+                # Break explicitly a reference cycle
+                err = None
+        else:
+            raise OSError("getaddrinfo returns an empty list")
+
+    class ProtectionMixin:
+        def _new_conn(self) -> socket.socket:
+            # This is 1:1 the version from urllib3.connection.HTTPConnection._new_conn v2.3.0
+            # just with a call to our own create_connection
+            try:
+                sock = create_connection(
+                    (self._dns_host, self.port),
+                    self.timeout,
+                    source_address=self.source_address,
+                    socket_options=self.socket_options,
+                )
+            except socket.gaierror as e:
+                raise NameResolutionError(self.host, self, e) from e
+            except socket.timeout as e:
+                raise ConnectTimeoutError(
+                    self,
+                    f"Connection to {self.host} timed out. (connect timeout={self.timeout})",
+                ) from e
+
+            except OSError as e:
+                raise NewConnectionError(
+                    self, f"Failed to establish a new connection: {e}"
+                ) from e
+
+            sys.audit("http.client.connect", self, self.host, self.port)
+            return sock
+
+    class ProtectedHTTPConnection(ProtectionMixin, HTTPConnection):
+        pass
+
+    class ProtectedHTTPSConnection(ProtectionMixin, HTTPSConnection):
+        pass
+
+    HTTPConnectionPool.ConnectionCls = ProtectedHTTPConnection
+    HTTPSConnectionPool.ConnectionCls = ProtectedHTTPSConnection
+
+
 def monkeypatch_cookie_morsel():
     # See https://code.djangoproject.com/ticket/34613
     cookies.Morsel._flags.add("partitioned")
@@ -99,4 +230,5 @@ def monkeypatch_all_at_ready():
     monkeypatch_vobject_performance()
     monkeypatch_pillow_safer()
     monkeypatch_requests_timeout()
+    monkeypatch_urllib3_ssrf_protection()
     monkeypatch_cookie_morsel()

src/pretix/locale/da/LC_MESSAGES/django.po

@@ -4,16 +4,16 @@ msgstr ""
 "Project-Id-Version: 1\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-30 11:22+0000\n"
-"PO-Revision-Date: 2026-03-05 20:00+0000\n"
+"PO-Revision-Date: 2026-04-13 14:01+0000\n"
 "Last-Translator: Mie Frydensbjerg <mif@aarhus.dk>\n"
-"Language-Team: Danish <https://translate.pretix.eu/projects/pretix/pretix/da/"
-">\n"
+"Language-Team: Danish <https://translate.pretix.eu/projects/pretix/pretix/"
+"da/>\n"
 "Language: da\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.16.1\n"
+"X-Generator: Weblate 5.16.2\n"
 
 #: pretix/_base_settings.py:87
 msgid "English"
@@ -36078,7 +36078,6 @@ msgstr "Book nu"
 #: pretix/presale/templates/pretixpresale/fragment_event_list_status.html:38
 #: pretix/presale/templates/pretixpresale/fragment_week_calendar.html:74
 #: pretix/presale/views/widget.py:463
-#, fuzzy
 msgid "Fully booked"
 msgstr "Fuldt booket"
 

src/pretix/locale/ja/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-30 11:22+0000\n"
-"PO-Revision-Date: 2026-03-23 21:00+0000\n"
+"PO-Revision-Date: 2026-04-08 18:00+0000\n"
 "Last-Translator: Hijiri Umemoto <hijiri@umemoto.org>\n"
 "Language-Team: Japanese <https://translate.pretix.eu/projects/pretix/pretix/"
 "ja/>\n"
@@ -12939,7 +12939,7 @@ msgstr "企業名を必須にするには、請求先住所を必須にする必
 #: pretix/base/settings.py:4157
 #, python-brace-format
 msgid "VAT-ID is not supported for \"{}\"."
-msgstr ""
+msgstr "VAT-IDは「{}」に対してサポートされていません。"
 
 #: pretix/base/settings.py:4164
 msgid "The last payment date cannot be before the end of presale."
@@ -26796,8 +26796,6 @@ msgid "Add a two-factor authentication device"
 msgstr "2要素認証デバイスを追加してください"
 
 #: pretix/control/templates/pretixcontrol/user/2fa_add.html:19
-#, fuzzy
-#| msgid "Smartphone with the Authenticator application"
 msgid "Smartphone with Authenticator app"
 msgstr "Authenticatorアプリを搭載したスマートフォン"
 
@@ -26806,18 +26804,20 @@ msgid ""
 "Use your smartphone with any Time-based One-Time-Password app like freeOTP, "
 "Google Authenticator or Proton Authenticator."
 msgstr ""
+"freeOTP、Google Authenticator、Proton Authenticator などの時間ベースの"
+"ワンタイムパスワードアプリをスマートフォンでご利用ください。"
 
 #: pretix/control/templates/pretixcontrol/user/2fa_add.html:30
-#, fuzzy
-#| msgid "WebAuthn-compatible hardware token (e.g. Yubikey)"
 msgid "WebAuthn-compatible hardware token"
-msgstr "WebAuthn対応のハードウェアトークン（例：Yubikey）"
+msgstr "WebAuthn対応のハードウェアトークン"
 
 #: pretix/control/templates/pretixcontrol/user/2fa_add.html:32
 msgid ""
 "Use a hardware token like the Yubikey, or other biometric authentication "
 "like fingerprint or face recognition."
 msgstr ""
+"Yubikey などのハードウェアトークンや、指紋や顔認識などの生体認証を使用してく"
+"ださい。"
 
 #: pretix/control/templates/pretixcontrol/user/2fa_confirm_totp.html:8
 msgid "To set up this device, please follow the following steps:"

src/pretix/locale/nl_BE/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-30 11:22+0000\n"
-"PO-Revision-Date: 2026-04-01 17:00+0000\n"
+"PO-Revision-Date: 2026-04-08 18:00+0000\n"
 "Last-Translator: Ruud Hendrickx <ruud@leckxicon.eu>\n"
 "Language-Team: Dutch (Belgium) <https://translate.pretix.eu/projects/pretix/"
 "pretix/nl_BE/>\n"
@@ -31346,7 +31346,7 @@ msgstr "We zullen u een e-mail sturen zodra we uw betaling ontvangen hebben."
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:7
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/sepa_export.html:7
 msgid "Export bank transfer refunds"
-msgstr ""
+msgstr "Terugbetalingen per bankoverschrijving exporteren"
 
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:9
 #, python-format
@@ -31354,6 +31354,8 @@ msgid ""
 "<strong>%(num_new)s</strong> Bank transfer refunds have been placed and are "
 "not yet part of an export."
 msgstr ""
+"<strong>%(num_new)s</strong> terugbetalingen per bankoverschrijving zijn "
+"aangemaakt en nog niet geëxporteerd."
 
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:15
 msgid "In test mode, your exports will only contain test mode orders."
@@ -31366,6 +31368,8 @@ msgid ""
 "If you want, you can now also create these exports for multiple events "
 "combined."
 msgstr ""
+"Als u dat wilt, kunt u deze exportbestanden nu ook voor meerdere evenementen "
+"tegelijk aanmaken."
 
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:22
 msgid "Go to organizer-level exports"
@@ -31377,7 +31381,7 @@ msgstr "Nieuw exportbestand aanmaken"
 
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:38
 msgid "Aggregate transactions to the same bank account"
-msgstr ""
+msgstr "Overschrijvingen naar hetzelfde rekeningnummer samenvoegen"
 
 #: pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/refund_export.html:43
 msgid ""

src/pretix/presale/forms/customer.py

@@ -83,7 +83,7 @@ class AuthenticationForm(forms.Form):
         self.request = request
         self.customer_cache = None
         super().__init__(*args, **kwargs)
-        self.fields['password'].help_text = "<a href='{}'>{}</a>".format(
+        self.fields['password'].help_text = "<a target='_blank' href='{}'>{}</a>".format(
             build_absolute_uri(False, 'presale:organizer.customer.resetpw', kwargs={
                 'organizer': request.organizer.slug,
             }),

src/pretix/presale/ical.py

@@ -153,7 +153,7 @@ def get_private_icals(event, positions):
                     # Actual ical organizer field is not useful since it will cause "your invitation was accepted" emails to the organizer
                     descr.append(_('Organizer: {organizer}').format(organizer=event.organizer.name))
                     description = '\n'.join(descr)
-                location = None
+                location = ", ".join(l.strip() for l in str(pt.location).splitlines() if l.strip())
                 dtstart = pt.start.astimezone(tz)
                 dtend = pt.end.astimezone(tz)
                 uid = 'pretix-{}-{}-{}-{}@{}'.format(

src/pretix/presale/urls.py

@@ -91,6 +91,9 @@ event_patterns = [
     re_path(r'w/(?P<cart_namespace>[a-zA-Z0-9]{16})/cart/add',
             csrf_exempt(pretix.presale.views.cart.CartAdd.as_view()),
             name='event.cart.add'),
+    re_path(r'w/(?P<cart_namespace>[a-zA-Z0-9]{16})/cart/create',
+            csrf_exempt(pretix.presale.views.cart.CartCreate.as_view()),
+            name='event.cart.create'),
 
     re_path(r'unlock/(?P<hash>[a-z0-9]{64})/$', pretix.presale.views.user.UnlockHashView.as_view(),
             name='event.payment.unlock'),

src/pretix/presale/views/cart.py

@@ -555,6 +555,18 @@ class CartClear(EventViewMixin, CartActionMixin, AsyncAction, View):
                        request.sales_channel.identifier, time_machine_now(default=None))
 
 
+@method_decorator(allow_cors_if_namespaced, 'dispatch')
+class CartCreate(EventViewMixin, CartActionMixin, View):
+    def get(self, request, *args, **kwargs):
+        if 'ajax' in self.request.GET:
+            cart_id = get_or_create_cart_id(self.request, create=True)
+            return JsonResponse({
+                'cart_id': cart_id,
+            })
+        else:
+            return redirect_to_url(self.get_success_url())
+
+
 @method_decorator(allow_frame_if_namespaced, 'dispatch')
 class CartExtendReservation(EventViewMixin, CartActionMixin, AsyncAction, View):
     task = extend_cart_reservation
@@ -843,9 +855,13 @@ class AnswerDownload(EventViewMixin, View):
             return Http404()
 
         ftype, _ = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-cart-{}"'.format(
+        filename = '{}-cart-{}'.format(
             self.request.event.slug.upper(),
             os.path.basename(answer.file.name).split('.', 1)[1]
-        ).encode("ascii", "ignore")
+        )
+        resp = FileResponse(
+            answer.file,
+            filename=filename,
+            content_type=ftype or 'application/binary'
+        )
         return resp

src/pretix/presale/views/event.py

@@ -681,8 +681,6 @@ class EventIndex(EventViewMixin, EventListMixin, CartMixin, TemplateView):
         context = {}
         context['list_type'] = self.request.GET.get("style", self.request.event.settings.event_list_type)
         if context['list_type'] not in ("calendar", "week") and self.request.event.subevents.filter(date_from__gt=time_machine_now()).count() > 50:
-            if self.request.event.settings.event_list_type not in ("calendar", "week"):
-                self.request.event.settings.event_list_type = "calendar"
             context['list_type'] = "calendar"
 
         if context['list_type'] == "calendar":

src/pretix/presale/views/order.py

@@ -1220,30 +1220,26 @@ class OrderDownloadMixin:
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                if self.order_position.subevent:
-                    # Subevent date in filename improves accessibility e.g. for screen reader users
-                    resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}-{}{}"'.format(
-                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                        self.order_position.subevent.date_from.strftime('%Y_%m_%d'),
-                        self.output.identifier, value.extension
-                    )
-                else:
-                    resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                        self.output.identifier, value.extension
-                    )
-                return resp
+                name_parts = (
+                    self.request.event.slug.upper(),
+                    self.order.code,
+                    str(self.order_position.positionid),
+                    self.order_position.subevent.date_from.strftime('%Y_%m_%d') if self.order_position.subevent else None,
+                    self.output.identifier
+                )
+                filename = "-".join(filter(None, name_parts)) + value.extension
+                return FileResponse(value.file.file, filename=filename, content_type=value.type)
         elif isinstance(value, CachedCombinedTicket):
             if value.type == 'text/uri-list':
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename="{}-{}-{}{}".format(
+                        self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension),
+                    content_type=value.type
                 )
-                return resp
         else:
             return redirect(self.get_self_url())
 
@@ -1383,13 +1379,14 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
             return redirect(self.get_order_url())
 
         try:
-            resp = FileResponse(invoice.file.file, content_type='application/pdf')
+            return FileResponse(
+                invoice.file.file,
+                filename='{}.pdf'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", invoice.number)),
+                content_type='application/pdf'
+            )
         except FileNotFoundError:
             invoice_pdf_task.apply(args=(invoice.pk,))
             return self.get(request, *args, **kwargs)
-        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", invoice.number))
-        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
-        return resp
 
 
 class OrderChangeMixin:

src/pretix/presale/views/waiting.py

@@ -66,22 +66,27 @@ class WaitingView(EventViewMixin, FormView):
                 if customer else None
             ),
         )
-        choices = []
+        groups = {}
         for i in items:
             if not i.allow_waitinglist:
                 continue
 
+            category_name = str(i.category.name) if i.category else ''
+            group = groups.setdefault(category_name, [])
+
             if i.has_variations:
                 for v in i.available_variations:
                     if v.cached_availability[0] == Quota.AVAILABILITY_OK:
                         continue
-                    choices.append((f'{i.pk}-{v.pk}', f'{i.name} – {v.value}'))
+                    group.append((f'{i.pk}-{v.pk}', f'{i.name} – {v.value}'))
 
             else:
                 if i.cached_availability[0] == Quota.AVAILABILITY_OK:
                     continue
-                choices.append((f'{i.pk}', f'{i.name}'))
-        return choices
+                group.append((f'{i.pk}', f'{i.name}'))
+
+        # Remove categories where all items were available (no waiting list choices)
+        return [(cat, choices) for cat, choices in groups.items() if choices]
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()

src/pretix/presale/views/widget.py

@@ -530,12 +530,10 @@ class WidgetAPIProductList(EventListMixin, View):
         ]
 
         if hasattr(self.request, 'event') and data['list_type'] not in ("calendar", "week"):
-            # only allow list-view of more than 50 subevents if ordering is by data as this can be done in the database
+            # only allow list-view of more than 50 subevents if ordering is by date as this can be done in the database
             # ordering by name is currently not supported in database due to I18NField-JSON
             ordering = self.request.event.settings.get('frontpage_subevent_ordering', default='date_ascending', as_type=str)
             if ordering not in ("date_ascending", "date_descending") and self.request.event.subevents.filter(date_from__gt=now()).count() > 50:
-                if self.request.event.settings.event_list_type not in ("calendar", "week"):
-                    self.request.event.settings.event_list_type = "calendar"
                 data['list_type'] = list_type = 'calendar'
 
         if hasattr(self.request, 'event'):

src/pretix/settings.py

@@ -223,6 +223,7 @@ CSRF_TRUSTED_ORIGINS = [urlparse(SITE_URL).scheme + '://' + urlparse(SITE_URL).h
 
 TRUST_X_FORWARDED_FOR = config.getboolean('pretix', 'trust_x_forwarded_for', fallback=False)
 USE_X_FORWARDED_HOST = config.getboolean('pretix', 'trust_x_forwarded_host', fallback=False)
+ALLOW_HTTP_TO_PRIVATE_NETWORKS = config.getboolean('pretix', 'allow_http_to_private_networks', fallback=False)
 
 
 REQUEST_ID_HEADER = config.get('pretix', 'request_id_header', fallback=False)
@@ -263,7 +264,8 @@ EMAIL_HOST_PASSWORD = config.get('mail', 'password', fallback='')
 EMAIL_USE_TLS = config.getboolean('mail', 'tls', fallback=False)
 EMAIL_USE_SSL = config.getboolean('mail', 'ssl', fallback=False)
 EMAIL_SUBJECT_PREFIX = '[pretix] '
-EMAIL_BACKEND = EMAIL_CUSTOM_SMTP_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
+EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
+EMAIL_CUSTOM_SMTP_BACKEND = 'pretixbase.email.CheckPrivateNetworkSmtpBackend'
 EMAIL_TIMEOUT = 60
 
 ADMINS = [('Admin', n) for n in config.get('mail', 'admins', fallback='').split(",") if n]

src/pretix/static/npm_dir/package-lock.json

@@ -1835,10 +1835,9 @@
       "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg=="
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-      "license": "MIT",
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
       "optional": true,
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -2879,9 +2878,9 @@
       "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "engines": {
         "node": ">=8.6"
       },
@@ -4936,9 +4935,9 @@
       "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg=="
     },
     "brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
       "optional": true,
       "requires": {
         "balanced-match": "^1.0.0",
@@ -5715,9 +5714,9 @@
       "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="
     },
     "picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA=="
     },
     "pify": {
       "version": "4.0.1",

src/pretix/static/pretixpresale/js/widget/widget.js

@@ -110,6 +110,10 @@ var setCookie = function (cname, cvalue, exdays) {
     var d = new Date();
     d.setTime(d.getTime() + (exdays * 24 * 60 * 60 * 1000));
     var expires = "expires=" + d.toUTCString();
+    if (!cvalue) {
+        var expires = "expires=Thu, 01 Jan 1970 00:00:00 GMT";
+        cvalue = "";
+    }
     document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
 };
 var getCookie = function (name) {
@@ -726,17 +730,16 @@ var shared_methods = {
     buy_callback: function (data) {
         if (data.redirect) {
             if (data.cart_id) {
-                this.$root.cart_id = data.cart_id;
-                setCookie(this.$root.cookieName, data.cart_id, 30);
+                this.$root.set_cart_id(data.cart_id);
             }
             if (data.redirect.substr(0, 1) === '/') {
                 data.redirect = this.$root.target_url.replace(/^([^\/]+:\/\/[^\/]+)\/.*$/, "$1") + data.redirect;
             }
             var url = data.redirect;
             if (url.indexOf('?')) {
-                url = url + '&iframe=1&locale=' + lang + '&take_cart_id=' + this.$root.cart_id;
+                url = url + '&iframe=1&locale=' + lang + '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
             } else {
-                url = url + '?iframe=1&locale=' + lang + '&take_cart_id=' + this.$root.cart_id;
+                url = url + '?iframe=1&locale=' + lang + '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
             }
             url += this.$root.consent_parameter;
             if (this.$root.additionalURLParams) {
@@ -779,15 +782,24 @@ var shared_methods = {
         }
     },
     resume: function () {
+        if (!this.$root.get_cart_id() && this.$root.keep_cart) {
+            // create an empty cart whose id we can persist
+            this.$root.create_cart(this.resume)
+            return;
+        }
         var redirect_url;
         redirect_url = this.$root.target_url + 'w/' + widget_id + '/';
-        if (this.$root.subevent && !this.$root.cart_id) {
+        if (this.$root.subevent && this.$root.is_button && this.$root.items.length === 0) {
             // button with subevent but no items
             redirect_url += this.$root.subevent + '/';
         }
         redirect_url += '?iframe=1&locale=' + lang;
-        if (this.$root.cart_id) {
-            redirect_url += '&take_cart_id=' + this.$root.cart_id;
+        if (this.$root.get_cart_id()) {
+            redirect_url += '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
+            if (this.$root.keep_cart) {
+                // make sure the cart-id is used, even if the cart is currently empty
+                redirect_url += '&ajax=1'
+            }
         }
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + encodeURIComponent(this.$root.widget_data_json);
@@ -1864,12 +1876,11 @@ var shared_root_methods = {
         if (this.$root.variation_filter) {
             url += '&variations=' + encodeURIComponent(this.$root.variation_filter);
         }
-        var cart_id = getCookie(this.cookieName);
         if (this.$root.voucher_code) {
             url += '&voucher=' + encodeURIComponent(this.$root.voucher_code);
         }
-        if (cart_id) {
-            url += "&cart_id=" + encodeURIComponent(cart_id);
+        if (this.$root.get_cart_id()) {
+            url += "&cart_id=" + encodeURIComponent(this.$root.get_cart_id());
         }
         if (this.$root.date !== null) {
             url += "&date=" + this.$root.date.substr(0, 7);
@@ -1939,7 +1950,6 @@ var shared_root_methods = {
                 root.display_add_to_cart = data.display_add_to_cart;
                 root.waiting_list_enabled = data.waiting_list_enabled;
                 root.show_variations_expanded = data.show_variations_expanded || !!root.variation_filter;
-                root.cart_id = cart_id;
                 root.cart_exists = data.cart_exists;
                 root.vouchers_exist = data.vouchers_exist;
                 root.has_seating_plan = data.has_seating_plan;
@@ -2004,8 +2014,8 @@ var shared_root_methods = {
         if (this.$root.voucher_code) {
             redirect_url += '&voucher=' + encodeURIComponent(this.$root.voucher_code);
         }
-        if (this.$root.cart_id) {
-            redirect_url += '&take_cart_id=' + this.$root.cart_id;
+        if (this.$root.get_cart_id()) {
+            redirect_url += '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
         }
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + encodeURIComponent(this.$root.widget_data_json);
@@ -2027,7 +2037,28 @@ var shared_root_methods = {
         this.$root.subevent = event.subevent;
         this.$root.loading++;
         this.$root.reload();
-    }
+    },
+    create_cart: function(callback) {
+        var url = this.$root.target_url + 'w/' + widget_id + '/cart/create?ajax=1';
+
+        this.$root.overlay.frame_loading = true;
+        api._getJSON(url, (data) => {
+            this.$root.set_cart_id(data.cart_id);
+            this.$root.overlay.frame_loading = false;
+            callback()
+        }, () => {
+            this.$root.overlay.error_message = strings['cart_error'];
+            this.$root.overlay.frame_loading = false;
+        })
+    },
+    get_cart_id: function() {
+        if (this.$root.keep_cart) {
+            return getCookie(this.$root.cookieName);
+        }
+    },
+    set_cart_id: function(newValue) {
+        setCookie(this.$root.cookieName, newValue, 30);
+    },
 };
 
 var shared_root_computed = {
@@ -2049,9 +2080,8 @@ var shared_root_computed = {
     },
     voucherFormTarget: function () {
         var form_target = this.target_url + 'w/' + widget_id + '/redeem?iframe=1&locale=' + lang;
-        var cookie = getCookie(this.cookieName);
-        if (cookie) {
-            form_target += "&take_cart_id=" + cookie;
+        if (this.get_cart_id()) {
+            form_target += "&take_cart_id=" + encodeURIComponent(this.get_cart_id());
         }
         if (this.subevent) {
             form_target += "&subevent=" + this.subevent;
@@ -2091,9 +2121,8 @@ var shared_root_computed = {
             checkout_url += '?' + this.$root.additionalURLParams;
         }
         var form_target = this.target_url + 'w/' + widget_id + '/cart/add?iframe=1&next=' + encodeURIComponent(checkout_url);
-        var cookie = getCookie(this.cookieName);
-        if (cookie) {
-            form_target += "&take_cart_id=" + cookie;
+        if (this.get_cart_id()) {
+            form_target += "&take_cart_id=" + encodeURIComponent(this.get_cart_id());
         }
         form_target += this.$root.consent_parameter
         return form_target
@@ -2329,6 +2358,7 @@ var create_widget = function (element, html_id=null) {
                 has_seating_plan: false,
                 has_seating_plan_waitinglist: false,
                 meta_filter_fields: [],
+                keep_cart: true,
             }
         },
         created: function () {
@@ -2366,6 +2396,7 @@ var create_button = function (element, html_id=null) {
     var raw_items = element.attributes.items ? element.attributes.items.value : "";
     var skip_ssl = element.attributes["skip-ssl-check"] ? true : false;
     var disable_iframe = element.attributes["disable-iframe"] ? true : false;
+    var keep_cart = element.attributes["keep-cart"] ? true : false;
     var button_text = element.innerHTML;
     var widget_data = JSON.parse(JSON.stringify(window.PretixWidget.widget_data));
     for (var i = 0; i < element.attributes.length; i++) {
@@ -2417,7 +2448,8 @@ var create_button = function (element, html_id=null) {
                 widget_data: widget_data,
                 widget_id: 'pretix-widget-' + widget_id,
                 html_id: html_id,
-                button_text: button_text
+                button_text: button_text,
+                keep_cart: keep_cart || items.length > 0,
             }
         },
         created: function () {
@@ -2426,7 +2458,7 @@ var create_button = function (element, html_id=null) {
             observer.observe(this.$el, observerOptions);
         },
         computed: shared_root_computed,
-        methods: shared_root_methods
+        methods: shared_root_methods,
     });
     create_overlay(app);
     return app;
@@ -2492,13 +2524,14 @@ window.PretixWidget.open = function (target_url, voucher, subevent, items, widge
                 frame_dismissed: false,
                 widget_data: all_widget_data,
                 widget_id: 'pretix-widget-' + widget_id,
-                button_text: ""
+                button_text: "",
+                keep_cart: true
             }
         },
         created: function () {
         },
         computed: shared_root_computed,
-        methods: shared_root_methods
+        methods: shared_root_methods,
     });
     create_overlay(app);
     app.$nextTick(function () {

src/pretix/testutils/settings.py

@@ -94,6 +94,9 @@ class DisableMigrations(object):
     def __getitem__(self, item):
         return None
 
+    def setdefault(self, key, default=None):
+        return
+
 
 if not os.environ.get("GITHUB_WORKFLOW", ""):
     MIGRATION_MODULES = DisableMigrations()

src/tests/api/test_items.py

@@ -530,6 +530,7 @@ def test_item_detail_program_times(token_client, organizer, event, team, item, c
     res["program_times"] = [{
         "start": "2017-12-27T00:00:00Z",
         "end": "2017-12-28T00:00:00Z",
+        "location": None
     }]
     resp = token_client.get('/api/v1/organizers/{}/events/{}/items/{}/'.format(organizer.slug, event.slug,
                                                                                item.pk))
@@ -1972,32 +1973,54 @@ def program_time2(item, category):
                                      end=datetime(2017, 12, 30, 0, 0, 0, tzinfo=timezone.utc))
 
 
+@pytest.fixture
+def program_time3(item, category):
+    return item.program_times.create(start=datetime(2017, 12, 30, 0, 0, 0, tzinfo=timezone.utc),
+                                     end=datetime(2017, 12, 31, 0, 0, 0, tzinfo=timezone.utc),
+                                     location='Testlocation')
+
+
 TEST_PROGRAM_TIMES_RES = {
     0: {
         "start": "2017-12-27T00:00:00Z",
         "end": "2017-12-28T00:00:00Z",
+        "location": None,
     },
     1: {
         "start": "2017-12-29T00:00:00Z",
         "end": "2017-12-30T00:00:00Z",
+        "location": None,
+    },
+    2: {
+        "start": "2017-12-30T00:00:00Z",
+        "end": "2017-12-31T00:00:00Z",
+        "location": {"en": "Testlocation"},
     }
 }
 
 
 @pytest.mark.django_db
-def test_program_times_list(token_client, organizer, event, item, program_time, program_time2):
+def test_program_times_list(token_client, organizer, event, item, program_time, program_time2, program_time3):
     res = dict(TEST_PROGRAM_TIMES_RES)
     res[0]["id"] = program_time.pk
     res[1]["id"] = program_time2.pk
+    res[2]["id"] = program_time3.pk
     resp = token_client.get('/api/v1/organizers/{}/events/{}/items/{}/program_times/'.format(organizer.slug, event.slug,
                                                                                              item.pk))
     assert resp.status_code == 200
     assert res[0]['start'] == resp.data['results'][0]['start']
     assert res[0]['end'] == resp.data['results'][0]['end']
     assert res[0]['id'] == resp.data['results'][0]['id']
+    assert res[0] == resp.data['results'][0]
     assert res[1]['start'] == resp.data['results'][1]['start']
     assert res[1]['end'] == resp.data['results'][1]['end']
     assert res[1]['id'] == resp.data['results'][1]['id']
+    assert res[1] == resp.data['results'][1]
+    assert res[2]['start'] == resp.data['results'][2]['start']
+    assert res[2]['end'] == resp.data['results'][2]['end']
+    assert res[2]['location'] == resp.data['results'][2]['location']
+    assert res[2]['id'] == resp.data['results'][2]['id']
+    assert res[2] == resp.data['results'][2]
 
 
 @pytest.mark.django_db
@@ -2039,6 +2062,59 @@ def test_program_times_create(token_client, organizer, event, item):
     assert resp.content.decode() == '{"non_field_errors":["The program end must not be before the program start."]}'
 
 
+@pytest.mark.django_db
+def test_program_times_create_location(token_client, organizer, event, item):
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/items/{}/program_times/'.format(organizer.slug, event.slug, item.pk),
+        {
+            "start": "2017-12-27T00:00:00Z",
+            "end": "2017-12-28T00:00:00Z",
+            "location": {
+                "en": "Testlocation",
+                "de": "Testort"
+            }
+        },
+        format='json'
+    )
+    assert resp.status_code == 201
+    with scopes_disabled():
+        program_time = ItemProgramTime.objects.get(pk=resp.data['id'])
+    assert "Testlocation" == program_time.location.localize("en")
+    assert "Testort" == program_time.location.localize("de")
+
+
+@pytest.mark.django_db
+def test_program_times_create_without_location(token_client, organizer, event, item):
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/items/{}/program_times/'.format(organizer.slug, event.slug, item.pk),
+        {
+            "start": "2017-12-27T00:00:00Z",
+            "end": "2017-12-28T00:00:00Z"
+        },
+        format='json'
+    )
+    assert resp.status_code == 201
+    assert resp.data['location'] is None
+    with scopes_disabled():
+        program_time = ItemProgramTime.objects.get(pk=resp.data['id'])
+    assert str(program_time.location) == ""
+
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/items/{}/program_times/'.format(organizer.slug, event.slug, item.pk),
+        {
+            "start": "2017-12-27T00:00:00Z",
+            "end": "2017-12-28T00:00:00Z",
+            "location": None
+        },
+        format='json'
+    )
+    assert resp.status_code == 201
+    assert resp.data['location'] is None
+    with scopes_disabled():
+        program_time = ItemProgramTime.objects.get(pk=resp.data['id'])
+    assert str(program_time.location) == ""
+
+
 @pytest.mark.django_db
 def test_program_times_update(token_client, organizer, event, item, program_time):
     resp = token_client.patch(

src/tests/base/test_mail.py

@@ -35,8 +35,11 @@
 import datetime
 import os
 import re
+import socket
+from contextlib import contextmanager
 from decimal import Decimal
 from email.mime.text import MIMEText
+from unittest import mock
 
 import pytest
 from django.conf import settings
@@ -591,3 +594,117 @@ def test_attached_ical_localization(env, order):
         assert len(djmail.outbox) == 1
         assert len(djmail.outbox[0].attachments) == 1
         assert description in djmail.outbox[0].attachments[0][1]
+
+
+PRIVATE_IPS_RES = [
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('10.0.0.3', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('0.0.0.0', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('127.1.1.1', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('192.168.5.3', 443))],
+    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('224.0.0.1', 443))],
+    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('::1', 443, 0, 0))],
+    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
+    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
+    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
+]
+
+
+@contextmanager
+def assert_mail_connection(res, should_connect, use_ssl):
+    with (
+        mock.patch('socket.socket') as mock_socket,
+        mock.patch('socket.getaddrinfo', return_value=res),
+        mock.patch('smtplib.SMTP.getreply', return_value=(220, "")),
+        mock.patch('smtplib.SMTP.sendmail'),
+        mock.patch('ssl.SSLContext.wrap_socket') as mock_ssl
+    ):
+        yield
+
+        if should_connect:
+            mock_socket.assert_called_once()
+            mock_socket.return_value.connect.assert_called_once_with(res[0][-1])
+            if use_ssl:
+                mock_ssl.assert_called_once()
+        else:
+            mock_socket.assert_not_called()
+            mock_socket.return_value.connect.assert_not_called()
+            mock_ssl.assert_not_called()
+
+
+@pytest.mark.parametrize("res", PRIVATE_IPS_RES)
+@pytest.mark.parametrize("use_ssl", [
+    True, False
+])
+def test_private_smtp_ip(res, use_ssl, settings):
+    settings.EMAIL_CUSTOM_SMTP_BACKEND = 'pretix.base.email.CheckPrivateNetworkSmtpBackend'
+    settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = False
+    with assert_mail_connection(res=res, should_connect=False, use_ssl=use_ssl), pytest.raises(match="Request to .* blocked"):
+        connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
+                                           host="localhost",
+                                           use_ssl=use_ssl)
+        connection.open()
+
+    settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = True
+    with assert_mail_connection(res=res, should_connect=True, use_ssl=use_ssl):
+        connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
+                                           host="localhost",
+                                           use_ssl=use_ssl)
+        connection.open()
+
+
+@pytest.mark.parametrize("use_ssl", [
+    True, False
+])
+@pytest.mark.parametrize("allow_private", [
+    True, False
+])
+def test_public_smtp_ip(use_ssl, allow_private, settings):
+    settings.EMAIL_CUSTOM_SMTP_BACKEND = 'pretix.base.email.CheckPrivateNetworkSmtpBackend'
+    settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = allow_private
+
+    with assert_mail_connection(res=[(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('8.8.8.8', 443))], should_connect=True, use_ssl=use_ssl):
+        connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
+                                           host="localhost",
+                                           use_ssl=use_ssl)
+        connection.open()
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("use_ssl", [
+    True, False
+])
+@pytest.mark.parametrize("allow_private_networks", [
+    True, False
+])
+@pytest.mark.parametrize("res", PRIVATE_IPS_RES)
+def test_send_mail_private_ip(res, use_ssl, allow_private_networks, env):
+    settings.EMAIL_CUSTOM_SMTP_BACKEND = 'pretix.base.email.CheckPrivateNetworkSmtpBackend'
+    settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = allow_private_networks
+
+    event, user, organizer = env
+    event.settings.smtp_use_custom = True
+    event.settings.smtp_host = "example.com"
+    event.settings.smtp_use_ssl = use_ssl
+    event.settings.smtp_use_tls = False
+
+    def send_mail():
+        m = OutgoingMail.objects.create(
+            to=['recipient@example.com'],
+            subject='Test',
+            body_plain='Test',
+            sender='sender@example.com',
+            event=event
+        )
+        assert m.status == OutgoingMail.STATUS_QUEUED
+        mail_send_task.apply(kwargs={
+            'outgoing_mail': m.pk,
+        }, max_retries=0)
+        m.refresh_from_db()
+        return m
+
+    with assert_mail_connection(res=res, should_connect=allow_private_networks, use_ssl=use_ssl):
+        m = send_mail()
+        if allow_private_networks:
+            assert m.status == OutgoingMail.STATUS_SENT
+        else:
+            assert m.status == OutgoingMail.STATUS_FAILED

src/tests/helpers/test_urllib.py

@@ -0,0 +1,93 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from socket import AF_INET, SOCK_STREAM
+from unittest import mock
+
+import pytest
+import requests
+from django.test import override_settings
+from dns.inet import AF_INET6
+from urllib3.exceptions import HTTPError
+
+
+def test_local_blocked():
+    with pytest.raises(HTTPError, match="Request to local address.*"):
+        requests.get("http://localhost", timeout=0.1)
+    with pytest.raises(HTTPError, match="Request to local address.*"):
+        requests.get("https://localhost", timeout=0.1)
+
+
+def test_private_ip_blocked():
+    with pytest.raises(HTTPError, match="Request to private address.*"):
+        requests.get("http://10.0.0.1", timeout=0.1)
+    with pytest.raises(HTTPError, match="Request to private address.*"):
+        requests.get("https://10.0.0.1", timeout=0.1)
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("res", [
+    [(AF_INET, SOCK_STREAM, 6, '', ('10.0.0.3', 443))],
+    [(AF_INET, SOCK_STREAM, 6, '', ('0.0.0.0', 443))],
+    [(AF_INET, SOCK_STREAM, 6, '', ('127.1.1.1', 443))],
+    [(AF_INET, SOCK_STREAM, 6, '', ('192.168.5.3', 443))],
+    [(AF_INET, SOCK_STREAM, 6, '', ('224.0.0.1', 443))],
+    [(AF_INET6, SOCK_STREAM, 6, '', ('::1', 443, 0, 0))],
+    [(AF_INET6, SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
+    [(AF_INET6, SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
+    [(AF_INET6, SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
+])
+def test_dns_resolving_to_local_blocked(res):
+    with mock.patch('socket.getaddrinfo') as mock_addr:
+        mock_addr.return_value = res
+        with pytest.raises(HTTPError, match="Request to (multicast|private|local) address.*"):
+            requests.get("https://example.org", timeout=0.1)
+        with pytest.raises(HTTPError, match="Request to (multicast|private|local) address.*"):
+            requests.get("http://example.org", timeout=0.1)
+
+
+def test_dns_remote_allowed():
+    class SocketOk(Exception):
+        pass
+
+    def side_effect(*args, **kwargs):
+        raise SocketOk
+
+    with mock.patch('socket.getaddrinfo') as mock_addr, mock.patch('socket.socket') as mock_socket:
+        mock_addr.return_value = [(AF_INET, SOCK_STREAM, 6, '', ('8.8.8.8', 443))]
+        mock_socket.side_effect = side_effect
+        with pytest.raises(SocketOk):
+            requests.get("https://example.org", timeout=0.1)
+
+
+@override_settings(ALLOW_HTTP_TO_PRIVATE_NETWORKS=True)
+def test_local_is_allowed():
+    class SocketOk(Exception):
+        pass
+
+    def side_effect(*args, **kwargs):
+        raise SocketOk
+
+    with mock.patch('socket.getaddrinfo') as mock_addr, mock.patch('socket.socket') as mock_socket:
+        mock_addr.return_value = [(AF_INET, SOCK_STREAM, 6, '', ('10.0.0.1', 443))]
+        mock_socket.side_effect = side_effect
+        with pytest.raises(SocketOk):
+            requests.get("https://example.org", timeout=0.1)

src/tests/presale/test_event.py

@@ -1162,6 +1162,65 @@ class WaitingListTest(EventTestMixin, SoupTest):
         assert wle.voucher is None
         assert wle.locale == 'en'
 
+    def test_initial_selection(self):
+        with scopes_disabled():
+            cat = ItemCategory.objects.create(event=self.event, name='Tickets')
+            self.item.category = cat
+            self.item.save()
+
+            item2 = Item.objects.create(
+                event=self.event, name='VIP ticket',
+                default_price=Decimal('25.00'),
+                active=True, category=cat,
+            )
+            self.q.items.add(item2)
+
+        response = self.client.get(
+            '/%s/%s/waitinglist/?item=%d' % (
+                self.orga.slug, self.event.slug, item2.pk
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        doc = BeautifulSoup(response.render().content, "lxml")
+
+        select = doc.find('select', {'name': 'itemvar'})
+        optgroup = select.find('optgroup')
+        self.assertIsNotNone(optgroup, 'Choices should be grouped by category')
+        self.assertEqual(optgroup['label'], 'Tickets')
+
+        selected = select.find_all('option', selected=True)
+        self.assertEqual(len(selected), 1, 'Exactly one option should be pre-selected')
+        self.assertEqual(selected[0]['value'], str(item2.pk))
+
+    def test_initial_selection_with_variation(self):
+        with scopes_disabled():
+            cat = ItemCategory.objects.create(event=self.event, name='Tickets')
+            self.item.category = cat
+            self.item.has_variations = True
+            self.item.save()
+
+            var1 = ItemVariation.objects.create(item=self.item, value='Standard')
+            var2 = ItemVariation.objects.create(item=self.item, value='Premium')
+            self.q.variations.add(var1, var2)
+
+        response = self.client.get(
+            '/%s/%s/waitinglist/?item=%d&var=%d' % (
+                self.orga.slug, self.event.slug,
+                self.item.pk, var2.pk,
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        doc = BeautifulSoup(response.render().content, "lxml")
+
+        select = doc.find('select', {'name': 'itemvar'})
+        optgroup = select.find('optgroup')
+        self.assertIsNotNone(optgroup, 'Choices should be grouped by category')
+        self.assertEqual(optgroup['label'], 'Tickets')
+
+        selected = select.find_all('option', selected=True)
+        self.assertEqual(len(selected), 1, 'Exactly one option should be pre-selected')
+        self.assertEqual(selected[0]['value'], '%d-%d' % (self.item.pk, var2.pk))
+
     def test_subevent_valid(self):
         with scopes_disabled():
             self.event.has_subevents = True