From 1b8f5d0d27444501c64e60c444e6ea30e2c7a286 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89lie=20Bouttier?= Date: Sun, 26 Nov 2017 20:55:09 +0100 Subject: [PATCH] validate uuid token before use --- cfp/decorators.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cfp/decorators.py b/cfp/decorators.py index c952ecd..5caaf20 100644 --- a/cfp/decorators.py +++ b/cfp/decorators.py @@ -1,8 +1,10 @@ from django.core.exceptions import PermissionDenied from django.contrib.auth.decorators import login_required from django.shortcuts import get_object_or_404 +from django.http import Http404 from functools import wraps +from uuid import UUID from cfp.utils import is_staff from cfp.models import Participant, Volunteer @@ -12,6 +14,10 @@ def speaker_required(view_func): def wrapped_view(request, **kwargs): speaker_token = kwargs.pop('speaker_token') if speaker_token: + try: + speaker_token = UUID(speaker_token) + except ValueError: + raise Http404 speaker = get_object_or_404(Participant, site=request.conference.site, token=speaker_token) elif request.user.is_authenticated(): speaker = get_object_or_404(Participant, site=request.conference.site, email=request.user.email) @@ -26,6 +32,10 @@ def volunteer_required(view_func): def wrapped_view(request, **kwargs): volunteer_token = kwargs.pop('volunteer_token') if volunteer_token: + try: + volunteer_token = UUID(volunteer_token) + except ValueError: + raise Http404 volunteer = get_object_or_404(Volunteer, site=request.conference.site, token=volunteer_token) elif request.user.is_authenticated(): volunteer = get_object_or_404(Volunteer, site=request.conference.site, email=request.user.email)