Django recently released a patch that addresses CVE-2022-36359
I am concerned that since this library does not use Django's FileResponse, it may be vulnerable to a similar type of attack and will not benefit from Django's patch.
After copying test case from the django patch and running it against DownloadView, I noticed that it does not pass so it is possible that the DownloadView is not as secure since it does not escape file names.
Django recently released a patch that addresses CVE-2022-36359
I am concerned that since this library does not use Django's FileResponse, it may be vulnerable to a similar type of attack and will not benefit from Django's patch.
After copying test case from the django patch and running it against
DownloadView
, I noticed that it does not pass so it is possible that the DownloadView is not as secure since it does not escape file names.