Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guard against reflected file download #211

Merged
merged 3 commits into from
Aug 5, 2024
Merged

Conversation

tari
Copy link
Contributor

@tari tari commented Jul 30, 2024

This fixes #196 by using the same replacement rules as Django did to fix CVE-2022-36359, and fixes tox.ini to actually run the tests in the tests directory which I found weren't being run (but happily, they do already pass).

@tari tari changed the title 196-rfd Guard against reflected file download Jul 30, 2024
@tari tari requested a review from Natim July 30, 2024 11:53
tari added 2 commits August 1, 2024 06:24
pytest by default only discovers tests in files named test_*.py,
so none of the tests were actually being executed. Set the appropriate
pytest option
to discover the tests so they are automatically run.
This fixes jazzband#196, where it was observed that django_downloadview
was vulnerable to reflected file download attacks with
specially-named files, similar to CVE-2022-36359 in Django.
This change adopts the same replacement rules as used in Django's fix
in commit b3e4494d759202a3b6bf247fd34455bf13be5b80.
This test was broken when changed to begin using importlib,
but that wasn't evident because the tests directory
wasn't being automatically tested.
@Natim Natim merged commit 18cb41f into jazzband:master Aug 5, 2024
11 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Use Django's built-in FileResponse to address security issue
2 participants