Advisories for Pypi/Django-Sendfile2 package

Similar to CVE-2022-36359 for Django, django-sendfile2 does not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173

django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author). This will be fixed which is to be released the same day as this advisory is made public. When upgrading, you …