jrief
commented
5 years ago the settings variable SHOP_TUTORIAL is 100% in control of the person invoking the management command initialize_shop_demo. Therefore, unless he wants to harm himself, I don't see any risk here.
Hi all,
There is a possible Path Manipulation issue found by Qihoo360 CodeSafe Team. Details as bellow:
In django-shop-master\example\myshop\management\commands\initialize_shop_demo.py line 95,When u get URL from request to download the zip file directly. Attackers may build a malicious url, which makes you download some bad files.We recommend using whitelists or blacklists to filter the returned URLs
Cheers Qihoo360 CodeSafe Team