django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author).
This will be fixed in 0.6.0 which is to be released the same day as this advisory is made public.
When upgrading, you will need to make sure SENDFILE_ROOT is set in your settings module if it wasn't already.
Thanks to Gianluca Pacchiella for reporting this issue and for providing the initial patch.
django-sendfile2 currently relies on the backend to correctly limit file paths to
SENDFILE_ROOT. This is not the case for thesimpleanddevelopmentbackends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author).This will be fixed in 0.6.0 which is to be released the same day as this advisory is made public.
When upgrading, you will need to make sure
SENDFILE_ROOTis set in your settings module if it wasn't already.Thanks to Gianluca Pacchiella for reporting this issue and for providing the initial patch.