There is a possible Path Manipulation issue found by Qihoo360 CodeSafe Team.
Details as bellow:
In django-shop-master\example\myshop\management\commands\initialize_shop_demo.py line 95,When u get URL from request to download the zip file directly. Attackers may build a malicious url, which makes you download some bad files.We recommend using whitelists or blacklists to filter the returned URLs
the settings variable SHOP_TUTORIAL is 100% in control of the person invoking the management command initialize_shop_demo. Therefore, unless he wants to harm himself, I don't see any risk here.
Hi all,
There is a possible Path Manipulation issue found by Qihoo360 CodeSafe Team. Details as bellow:![image](https://user-images.githubusercontent.com/39950310/49272192-9e773e80-f4ab-11e8-93f5-0c3a96fc02e5.png)
In django-shop-master\example\myshop\management\commands\initialize_shop_demo.py line 95,When u get URL from request to download the zip file directly. Attackers may build a malicious url, which makes you download some bad files.We recommend using whitelists or blacklists to filter the returned URLs
Cheers Qihoo360 CodeSafe Team