Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZyM2MtOHhmMy1nZ3Jy
Directory traversal outside of SENDFILE_ROOT in django-sendfile2
django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author).
This will be fixed in 0.6.0 which is to be released the same day as this advisory is made public.
When upgrading, you will need to make sure SENDFILE_ROOT is set in your settings module if it wasn't already.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZyM2MtOHhmMy1nZ3Jy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-6r3c-8xf3-ggrr
References:
- https://github.com/moggers87/django-sendfile2/security/advisories/GHSA-6r3c-8xf3-ggrr
- https://github.com/moggers87/django-sendfile2/commit/f870c52398a55b9b5189932dd8caa24efb4bc1e1
- https://github.com/advisories/GHSA-6r3c-8xf3-ggrr
Blast Radius: 0.0
Affected Packages
pypi:django-sendfile2
Dependent packages: 6Dependent repositories: 177
Downloads: 25,476 last month
Affected Version Ranges: < 0.6.0
Fixed in: 0.6.0
All affected versions: 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.1
All unaffected versions: 0.6.0, 0.6.1, 0.7.0, 0.7.1