logo

Database

Lack of data validation - Path Traversal In django-sendfile2

Description

Directory traversal outside of SENDFILE_ROOT in django-sendfile2 django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author).

This will be fixed in 0.6.0 which is to be released the same day as this advisory is made public.

When upgrading, you will need to make sure SENDFILE_ROOT is set in your settings module if it wasn't already.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-6r3c-8xf3-ggrr2. GCVE-GHSA-6r3c-8xf3-ggrr

References

1. https://github.com/moggers87/django-sendfile2/security/advisories/GHSA-6r3c-8xf3-ggrr2. https://github.com/moggers87/django-sendfile2/commit/f870c52398a55b9b5189932dd8caa24efb4bc1e1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.