GMS-2020-11: Directory traversal outside of SENDFILE_ROOT in django-sendfile2

June 24, 2020 (updated September 22, 2021)

django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it’s just an assumption that was made by the original author).

This will be fixed which is to be released the same day as this advisory is made public.

When upgrading, you will need to make sure SENDFILE_ROOT is set in your settings module if it wasn’t already.

References

github.com/advisories/GHSA-6r3c-8xf3-ggrr
github.com/moggers87/django-sendfile2/commit/f870c52398a55b9b5189932dd8caa24efb4bc1e1
github.com/moggers87/django-sendfile2/security/advisories/GHSA-6r3c-8xf3-ggrr

Code Behaviors & Features

Detect and mitigate GMS-2020-11 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →