Bump to 3.12.1

src/MANIFEST.in

@@ -1,5 +1,6 @@
 include LICENSE
 include README.rst
+global-include *.proto
 recursive-include pretix/static *
 recursive-include pretix/static.dist *
 recursive-include pretix/locale *

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "3.12.0"
+__version__ = "3.12.1"

src/pretix/base/forms/auth.py

@@ -1,12 +1,17 @@
+import hashlib
+import ipaddress
+
 from django import forms
 from django.conf import settings
 from django.contrib.auth.password_validation import (
     password_validators_help_texts, validate_password,
 )
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 
 from pretix.base.models import User
 from pretix.helpers.dicts import move_to_end
+from pretix.helpers.http import get_client_ip
 
 
 class LoginForm(forms.Form):
@@ -18,6 +23,7 @@ class LoginForm(forms.Form):
 
     error_messages = {
         'invalid_login': _("This combination of credentials is not known to our system."),
+        'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
         'inactive': _("This account is inactive.")
     }
 
@@ -39,10 +45,36 @@ class LoginForm(forms.Form):
         else:
             move_to_end(self.fields, 'keep_logged_in')
 
+    @cached_property
+    def ratelimit_key(self):
+        if not settings.HAS_REDIS:
+            return None
+        client_ip = get_client_ip(self.request)
+        if not client_ip:
+            return None
+        try:
+            client_ip = ipaddress.ip_address(client_ip)
+        except ValueError:
+            # Web server not set up correctly
+            return None
+        if client_ip.is_private:
+            # This is the private IP of the server, web server not set up correctly
+            return None
+        return 'pretix_login_{}'.format(hashlib.sha1(str(client_ip).encode()).hexdigest())
+
     def clean(self):
         if all(k in self.cleaned_data for k, f in self.fields.items() if f.required):
+            if self.ratelimit_key:
+                from django_redis import get_redis_connection
+                rc = get_redis_connection("redis")
+                cnt = rc.get(self.ratelimit_key)
+                if cnt and int(cnt) > 10:
+                    raise forms.ValidationError(self.error_messages['rate_limit'], code='rate_limit')
             self.user_cache = self.backend.form_authenticate(self.request, self.cleaned_data)
             if self.user_cache is None:
+                if self.ratelimit_key:
+                    rc.incr(self.ratelimit_key)
+                    rc.expire(self.ratelimit_key, 300)
                 raise forms.ValidationError(
                     self.error_messages['invalid_login'],
                     code='invalid_login'

src/pretix/base/forms/user.py

@@ -1,4 +1,5 @@
 from django import forms
+from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.password_validation import (
     password_validators_help_texts, validate_password,
@@ -19,6 +20,7 @@ class UserSettingsForm(forms.ModelForm):
                         "address or password."),
         'pw_current_wrong': _("The current password you entered was not correct."),
         'pw_mismatch': _("Please enter the same password twice"),
+        'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
     }
 
     old_pw = forms.CharField(max_length=255,
@@ -64,6 +66,18 @@ class UserSettingsForm(forms.ModelForm):
 
     def clean_old_pw(self):
         old_pw = self.cleaned_data.get('old_pw')
+
+        if old_pw and settings.HAS_REDIS:
+            from django_redis import get_redis_connection
+            rc = get_redis_connection("redis")
+            cnt = rc.incr('pretix_pwchange_%s' % self.user.pk)
+            rc.expire('pretix_pwchange_%s' % self.user.pk, 300)
+            if cnt > 10:
+                raise forms.ValidationError(
+                    self.error_messages['rate_limit'],
+                    code='rate_limit',
+                )
+
         if old_pw and not check_password(old_pw, self.user.password):
             raise forms.ValidationError(
                 self.error_messages['pw_current_wrong'],

src/pretix/base/migrations/0162b_auto_20201218_1810.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.0.11 on 2020-12-18 18:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0162_remove_seat_name'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='cachedfile',
+            name='session_key',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='cachedfile',
+            name='web_download',
+            field=models.BooleanField(default=True),
+        ),
+    ]

src/pretix/base/migrations/0170_merge_20201222_1028.py

@@ -0,0 +1,14 @@
+# Generated by Django 3.0.11 on 2020-12-22 10:28
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0169_checkinlist_gates'),
+        ('pretixbase', '0162b_auto_20201218_1810'),
+    ]
+
+    operations = [
+    ]

src/pretix/base/models/base.py

@@ -28,6 +28,8 @@ class CachedFile(models.Model):
     filename = models.CharField(max_length=255)
     type = models.CharField(max_length=255)
     file = models.FileField(null=True, blank=True, upload_to=cachedfile_name, max_length=255)
+    web_download = models.BooleanField(default=True)  # allow web download, True for backwards compatibility in plugins
+    session_key = models.TextField(null=True, blank=True)  # only allow download in this session
 
 
 @receiver(post_delete, sender=CachedFile)

src/pretix/base/services/shredder.py

@@ -17,7 +17,7 @@ from pretix.celery_app import app
 
 
 @app.task(base=ProfiledEventTask)
-def export(event: Event, shredders: List[str]) -> None:
+def export(event: Event, shredders: List[str], session_key=None) -> None:
     known_shredders = event.get_data_shredders()
 
     with NamedTemporaryFile() as rawfile:
@@ -55,6 +55,8 @@ def export(event: Event, shredders: List[str]) -> None:
         cf.date = now()
         cf.filename = event.slug + '.zip'
         cf.type = 'application/zip'
+        cf.session_key = session_key
+        cf.web_download = True
         cf.expires = now() + timedelta(hours=1)
         cf.save()
         cf.file.save(cachedfile_name(cf, cf.filename), rawfile)

src/pretix/base/templatetags/rich_text.py

@@ -1,3 +1,4 @@
+import re
 import urllib.parse
 
 import bleach
@@ -71,6 +72,10 @@ EMAIL_RE = build_email_re(tlds=sorted(tld_set, key=len, reverse=True))
 
 
 def safelink_callback(attrs, new=False):
+    """
+    Makes sure that all links to a different domain are passed through a redirection handler
+    to ensure there's no passing of referers with secrets inside them.
+    """
     url = attrs.get((None, 'href'), '/')
     if not url_has_allowed_host_and_scheme(url, allowed_hosts=None) and not url.startswith('mailto:') and not url.startswith('tel:'):
         signer = signing.Signer(salt='safe-redirect')
@@ -80,7 +85,42 @@ def safelink_callback(attrs, new=False):
     return attrs
 
 
+def truelink_callback(attrs, new=False):
+    """
+    Tries to prevent "phishing" attacks in which a link looks like it points to a safe place but instead
+    points somewhere else, e.g.
+
+        <a href="https://evilsite.com">https://google.com</a>
+
+    At the same time, custom texts are still allowed:
+
+        <a href="https://maps.google.com">Get to the event</a>
+
+    Suffixes are also allowed:
+
+        <a href="https://maps.google.com/location/foo">https://maps.google.com</a>
+    """
+    text = re.sub('[^a-zA-Z0-9.-/_]', '', attrs.get('_text'))  # clean up link text
+    if URL_RE.match(text):
+        # link text looks like a url
+        if text.startswith('//'):
+            text = 'https:' + text
+        elif not text.startswith('http'):
+            text = 'https://' + text
+
+        text_url = urllib.parse.urlparse(text)
+        href_url = urllib.parse.urlparse(attrs[None, 'href'])
+        if text_url.netloc != href_url.netloc or not href_url.path.startswith(href_url.path):
+            # link text contains an URL that has a different base than the actual URL
+            attrs['_text'] = attrs[None, 'href']
+    return attrs
+
+
 def abslink_callback(attrs, new=False):
+    """
+    Makes sure that all links will be absolute links and will be opened in a new page with no
+    window.opener attribute.
+    """
     url = attrs.get((None, 'href'), '/')
     if not url.startswith('mailto:') and not url.startswith('tel:'):
         attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, url)
@@ -93,6 +133,7 @@ def markdown_compile_email(source):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
+        callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
         parse_email=True
     )
     return linker.linkify(bleach.clean(
@@ -145,7 +186,7 @@ def rich_text(text: str, **kwargs):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
         parse_email=True
     )
     body_md = linker.linkify(markdown_compile(text))
@@ -161,7 +202,7 @@ def rich_text_snippet(text: str, **kwargs):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
         parse_email=True
     )
     body_md = linker.linkify(markdown_compile(text, snippet=True))

src/pretix/base/views/cachedfiles.py

@@ -13,7 +13,11 @@ class DownloadView(TemplateView):
     @cached_property
     def object(self) -> CachedFile:
         try:
-            return get_object_or_404(CachedFile, id=self.kwargs['id'])
+            o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
+            if o.session_key:
+                if o.session_key != self.request.session.session_key:
+                    raise Http404()
+            return o
         except ValueError:   # Invalid URLs
             raise Http404()
 

src/pretix/control/views/auth.py

@@ -74,13 +74,15 @@ def login(request):
         backend = [b for b in backends if b.visible][0]
     if request.user.is_authenticated:
         next_url = backend.get_next_url(request) or 'control:index'
-        return redirect(next_url)
+        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
+            return redirect(next_url)
+        return redirect(reverse('control:index'))
     if request.method == 'POST':
-        form = LoginForm(backend=backend, data=request.POST)
+        form = LoginForm(backend=backend, data=request.POST, request=request)
         if form.is_valid() and form.user_cache and form.user_cache.auth_backend == backend.identifier:
             return process_login(request, form.user_cache, form.cleaned_data.get('keep_logged_in', False))
     else:
-        form = LoginForm(backend=backend)
+        form = LoginForm(backend=backend, request=request)
     ctx['form'] = form
     ctx['can_register'] = settings.PRETIX_REGISTRATION
     ctx['can_reset'] = settings.PRETIX_PASSWORD_RESET

src/pretix/control/views/orders.py

@@ -1958,9 +1958,9 @@ class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, View)
             messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
             return self.get(request, *args, **kwargs)
 
-        cf = CachedFile()
+        cf = CachedFile(web_download=True, session_key=request.session.session_key)
         cf.date = now()
-        cf.expires = now() + timedelta(days=3)
+        cf.expires = now() + timedelta(hours=24)
         cf.save()
         return self.do(self.request.event.id, str(cf.id), self.exporter.identifier, self.exporter.form.cleaned_data)
 

src/pretix/control/views/organizer.py

@@ -1245,9 +1245,9 @@ class ExportDoView(OrganizerPermissionRequiredMixin, ExportMixin, AsyncAction, V
             messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
             return self.get(request, *args, **kwargs)
 
-        cf = CachedFile()
+        cf = CachedFile(web_download=True, session_key=request.session.session_key)
         cf.date = now()
-        cf.expires = now() + timedelta(days=3)
+        cf.expires = now() + timedelta(hours=24)
         cf.save()
         return self.do(
             organizer=self.request.organizer.id,

src/pretix/control/views/pdf.py

@@ -137,7 +137,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
             buffer = BytesIO()
             p.write(buffer)
             buffer.seek(0)
-            c = CachedFile()
+            c = CachedFile(web_download=True)
             c.expires = now() + timedelta(days=7)
             c.date = now()
             c.filename = 'background_preview.pdf'
@@ -162,7 +162,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
                     "status": "error",
                     "error": error
                 })
-            c = CachedFile()
+            c = CachedFile(web_download=True)
             c.expires = now() + timedelta(days=7)
             c.date = now()
             c.filename = 'background_preview.pdf'

src/pretix/control/views/shredder.py

@@ -75,7 +75,7 @@ class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequired
         if constr:
             return self.error(ShredError(self.get_error_url()))
 
-        return self.do(self.request.event.id, request.POST.getlist("shredder"))
+        return self.do(self.request.event.id, request.POST.getlist("shredder"), self.request.session.session_key)
 
 
 class ShredDoView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):

src/pretix/plugins/badges/views.py

@@ -235,7 +235,7 @@ class OrderPrintDo(EventPermissionRequiredMixin, AsyncAction, View):
 
     def post(self, request, *args, **kwargs):
         order = get_object_or_404(self.request.event.orders, code=request.GET.get("code"))
-        cf = CachedFile()
+        cf = CachedFile(web_download=True, session_key=self.request.session.session_key)
         cf.date = now()
         cf.type = 'application/pdf'
         cf.expires = now() + timedelta(days=3)

src/tests/base/test_rich_text.py

@@ -0,0 +1,33 @@
+import pytest
+
+from pretix.base.templatetags.rich_text import rich_text, rich_text_snippet, markdown_compile_email
+
+
+@pytest.mark.parametrize("link", [
+    # Test link detection
+    ("google.com",
+     '<a href="http://google.com" rel="noopener" target="_blank">google.com</a>'),
+    # Test abslink_callback
+    ("[Call](tel:+12345)",
+     '<a href="tel:+12345" rel="nofollow">Call</a>'),
+    ("[Foo](/foo)",
+     '<a href="http://example.com/foo" rel="noopener" target="_blank">Foo</a>'),
+    ("mail@example.org",
+     '<a href="mailto:mail@example.org">mailto:mail@example.org</a>'),
+    # Test truelink_callback
+    ('<a href="https://evilsite.com">Evil Site</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">Evil Site</a>'),
+    ('<a href="https://evilsite.com">evilsite.com</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">evilsite.com</a>'),
+    ('<a href="https://evilsite.com">goodsite.com</a>',
+     '<a href="https://evilsite.com" rel="noopener" target="_blank">https://evilsite.com</a>'),
+    ('<a href="https://goodsite.com.evilsite.com">goodsite.com</a>',
+     '<a href="https://goodsite.com.evilsite.com" rel="noopener" target="_blank">https://goodsite.com.evilsite.com</a>'),
+    ('<a href="https://evilsite.com/deep/path">evilsite.com</a>',
+     '<a href="https://evilsite.com/deep/path" rel="noopener" target="_blank">evilsite.com</a>'),
+])
+def test_linkify_abs(link):
+    input, output = link
+    assert rich_text_snippet(input, safelinks=False) == output
+    assert rich_text(input, safelinks=False) == f'<p>{output}</p>'
+    assert markdown_compile_email(input) == f'<p>{output}</p>'

src/tests/control/test_auth.py

@@ -90,6 +90,10 @@ class LoginFormTest(TestCase):
         self.assertEqual(response.status_code, 302)
         self.assertIn('/control/events/', response['Location'])
 
+        response = self.client.get('/control/login?next=//evilsite.com')
+        self.assertEqual(response.status_code, 302)
+        self.assertIn('/control/', response['Location'])
+
     def test_logout(self):
         response = self.client.post('/control/login', {
             'email': 'dummy@dummy.dummy',