Natim
commented
1 year ago Nice feedback thank you. Do you think you might be able to create a PR with the failing test?
Open mick88 opened 1 year ago
Natim
commented
1 year ago Nice feedback thank you. Do you think you might be able to create a PR with the failing test?
Django recently released a patch that addresses CVE-2022-36359
I am concerned that since this library does not use Django's FileResponse, it may be vulnerable to a similar type of attack and will not benefit from Django's patch.
After copying test case from the django patch and running it against
DownloadView, I noticed that it does not pass so it is possible that the DownloadView is not as secure since it does not escape file names.