Updating to v5.0 may expose your database dumps in the public media directory #645
Description
Current Situation
In v5.0.0, we have this changelog buried deep inside the changelog:
Drop support for DBBACKUP_STORAGE AND DBBACKUP_STORAGE_OPTIONS settings, use Django's STORAGES['dbbackup'] setting instead.
And then buried in the storages documentation there's this:
Do not configure backup storage with the same configuration as your media files as you'll risk sharing backups inside public directories.
If no explicit STORAGES['dbbackup'] is provided the default File System Storage is used (pointing at your project media root). Consider isolating backups in a dedicated directory with restricted permissions. Browse additional providers at [Django Packages](https://djangopackages.org/grids/g/storage-backends/).
Implications: updating to v5.0.0 (or if you don't have version locking) without changing to the new setting structure will - by default - start dumping your database backups in the media dir, which is a public directory!
I don't think I have to tell you how much of a security vulnerability this presents for everyone using this library. Thankfully we noticed this behavior on a project that is not open to the internet as soon as the containers started to get unreasonably bloated (because it was making local backups instead of sending to S3), but it could have been much worse.
With great power comes great responsability, and I think that dealing with people's database data is a very big responsability, and under no circunstances should the default behavior be to expose people's database dumps in a public directory! Raise an error if people don't have it set up, don't silently add dumps to the media path!
Proposed Actions
No response
System Information
No response