Waiting list: Redirect back after voucher edit (Z#23230178)

2026-06-10 01:15:05 +00:00 · 2026-06-08 14:41:13 +02:00
6 changed files with 5 additions and 14 deletions
--- a/src/pretix/base/email.py
+++ b/src/pretix/base/email.py
@@ -57,8 +57,6 @@ logger = logging.getLogger('pretix.base.email')

 T = TypeVar("T", bound=EmailBackend)

-_cgnat_net = ipaddress.ip_network('100.64.0.0/10')
-

 def test_custom_smtp_backend(backend: T, from_addr: str) -> None:
    try:
@@ -255,15 +253,12 @@ def create_connection(address, timeout=socket.getdefaulttimeout(),

        if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
            ip_addr = ipaddress.ip_address(sa[0])
-            check_ip4 = ip_addr.ipv4_mapped if getattr(ip_addr, "ipv4_mapped", None) else ip_addr
            if ip_addr.is_multicast:
                raise socket.error(f"Request to multicast address {sa[0]} blocked")
            if ip_addr.is_loopback or ip_addr.is_link_local:
                raise socket.error(f"Request to local address {sa[0]} blocked")
            if ip_addr.is_private:
                raise socket.error(f"Request to private address {sa[0]} blocked")
-            if check_ip4 in _cgnat_net:
-                raise socket.error(f"Request to RFC 6598 address {sa[0]} blocked")

        sock = None
        try:
--- a/src/pretix/control/templates/pretixcontrol/waitinglist/index.html
+++ b/src/pretix/control/templates/pretixcontrol/waitinglist/index.html
@@ -251,7 +251,7 @@
                        </td>
                        <td>
                            {% if e.voucher %}
-                                <a href="{% url "control:event.voucher" organizer=request.event.organizer.slug event=request.event.slug voucher=e.voucher.pk %}">
+                                <a href="{% url "control:event.voucher" organizer=request.event.organizer.slug event=request.event.slug voucher=e.voucher.pk %}?next={{ request.get_full_path|urlencode }}">
                                    {{ e.voucher }}
                                </a>
                            {% elif not e.voucher and e.availability.0 == 100 and e.availability.1|default_if_none:"none" != "none" %}
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -51,6 +51,7 @@ from django.shortcuts import redirect, render
 from django.urls import resolve, reverse
 from django.utils.functional import cached_property
 from django.utils.html import format_html
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.safestring import mark_safe
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -320,6 +321,8 @@ class VoucherUpdate(EventPermissionRequiredMixin, UpdateView):
        return super().post(request, *args, **kwargs)

    def get_success_url(self) -> str:
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
+            return self.request.GET.get("next")
        return reverse('control:event.vouchers', kwargs={
            'organizer': self.request.event.organizer.slug,
            'event': self.request.event.slug,
--- a/src/pretix/helpers/monkeypatching.py
+++ b/src/pretix/helpers/monkeypatching.py
@@ -148,14 +148,13 @@ def monkeypatch_urllib3_ssrf_protection():

            if not getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
                ip_addr = ipaddress.ip_address(sa[0])
-                check_ip4 = ip_addr.ipv4_mapped if getattr(ip_addr, "ipv4_mapped", None) else ip_addr
                if ip_addr.is_multicast:
                    raise HTTPError(f"Request to multicast address {sa[0]} blocked")
                if ip_addr.is_loopback or ip_addr.is_link_local:
                    raise HTTPError(f"Request to local address {sa[0]} blocked")
                if ip_addr.is_private:
                    raise HTTPError(f"Request to private address {sa[0]} blocked")
-                if check_ip4 in _cgnat_net:
+                if ip_addr in _cgnat_net:
                    raise HTTPError(f"Request to RFC 6598 address {sa[0]} blocked")

            sock = None
--- a/src/tests/base/test_mail.py
+++ b/src/tests/base/test_mail.py
@@ -602,13 +602,10 @@ PRIVATE_IPS_RES = [
    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('127.1.1.1', 443))],
    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('192.168.5.3', 443))],
    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('224.0.0.1', 443))],
-    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('100.64.0.1', 443))],
-    [(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('100.100.100.100', 443))],
    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('::1', 443, 0, 0))],
    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
-    [(socket.AF_INET6, socket.SOCK_STREAM, 6, '', ('::ffff:100.64.0.1', 443, 0, 0))],
 ]


--- a/src/tests/helpers/test_urllib.py
+++ b/src/tests/helpers/test_urllib.py
@@ -43,8 +43,6 @@ def test_private_ip_blocked():
        requests.get("https://10.0.0.1", timeout=0.1)
    with pytest.raises(HTTPError, match="Request to RFC 6598 address.*"):
        requests.get("https://100.100.100.100", timeout=0.1)
-    with pytest.raises(HTTPError, match="Request to RFC 6598 address.*"):
-        requests.get("https://[::ffff:100.64.0.1]", timeout=0.1)


@pytest.mark.django_db
@@ -60,7 +58,6 @@ def test_private_ip_blocked():
    [(AF_INET6, SOCK_STREAM, 6, '', ('fe80::1', 443, 0, 0))],
    [(AF_INET6, SOCK_STREAM, 6, '', ('ff00::1', 443, 0, 0))],
    [(AF_INET6, SOCK_STREAM, 6, '', ('fc00::1', 443, 0, 0))],
-    [(AF_INET6, SOCK_STREAM, 6, "", ("::ffff:100.64.0.1", 443, 0, 0))],
 ])
 def test_dns_resolving_to_local_blocked(res):
    with mock.patch('socket.getaddrinfo') as mock_addr: