Skip to content

Directory traversal outside of SENDFILE_ROOT in django-sendfile2

Moderate severity GitHub Reviewed Published Jun 17, 2020 in moggers87/django-sendfile2 • Updated Jan 9, 2023

Package

pip django-sendfile2 (pip)

Affected versions

< 0.6.0

Patched versions

0.6.0

Description

django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author).

This will be fixed in 0.6.0 which is to be released the same day as this advisory is made public.

When upgrading, you will need to make sure SENDFILE_ROOT is set in your settings module if it wasn't already.

References

@moggers87 moggers87 published to moggers87/django-sendfile2 Jun 17, 2020
Reviewed Jun 18, 2020
Published to the GitHub Advisory Database Jun 24, 2020
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6r3c-8xf3-ggrr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.