django-downloadview icon indicating copy to clipboard operation
django-downloadview copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Use Django's built-in FileResponse to address security issue

Open mick88 opened this issue 2 years ago • 1 comments

Django recently released a patch that addresses CVE-2022-36359

I am concerned that since this library does not use Django's FileResponse, it may be vulnerable to a similar type of attack and will not benefit from Django's patch.

After copying test case from the django patch and running it against DownloadView, I noticed that it does not pass so it is possible that the DownloadView is not as secure since it does not escape file names.

mick88 avatar Aug 04 '22 09:08 mick88

Nice feedback thank you. Do you think you might be able to create a PR with the failing test?

Natim avatar Aug 04 '22 12:08 Natim