+55
-5
lines changedFilter options
+55
-5
lines changed Original file line number Diff line number Diff line change
@@ -114,7 +114,13 @@ def _cull(self):
114 114
self._delete(fname)
115 115 116 116
def _createdir(self):
117 -
os.makedirs(self._dir, 0o700, exist_ok=True)
117 +
# Set the umask because os.makedirs() doesn't apply the "mode" argument
118 +
# to intermediate-level directories.
119 +
old_umask = os.umask(0o077)
120 +
try:
121 +
os.makedirs(self._dir, 0o700, exist_ok=True)
122 +
finally:
123 +
os.umask(old_umask)
118 124 119 125
def _key_to_file(self, key, version=None):
120 126
"""
@@ -4,7 +4,7 @@ Django 2.2.16 release notes
4 4 5 5
*Expected September 1, 2020*
6 6 7 -
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
7 +
Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
8 8 9 9
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
10 10
======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
17 17
You should review and manually fix permissions on existing intermediate-level
18 18
directories.
19 19 20 +
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
21 +
===============================================================================================================
22 + 23 +
On Python 3.7+, the intermediate-level directories of the file system cache had
24 +
the system's standard umask rather than ``0o077`` (no group or others
25 +
permissions).
26 + 20 27
Bugfixes
21 28
========
22 29
@@ -4,7 +4,7 @@ Django 3.0.10 release notes
4 4 5 5
*Expected September 1, 2020*
6 6 7 -
Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9.
7 +
Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.
8 8 9 9
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
10 10
======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
17 17
You should review and manually fix permissions on existing intermediate-level
18 18
directories.
19 19 20 +
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
21 +
===============================================================================================================
22 + 23 +
On Python 3.7+, the intermediate-level directories of the file system cache had
24 +
the system's standard umask rather than ``0o077`` (no group or others
25 +
permissions).
26 + 20 27
Bugfixes
21 28
========
22 29
@@ -4,7 +4,7 @@ Django 3.1.1 release notes
4 4 5 5
*Expected September 1, 2020*
6 6 7 -
Django 3.1.1 fixes a security issue and several bugs in 3.1.
7 +
Django 3.1.1 fixes two security issues and several bugs in 3.1.
8 8 9 9
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
10 10
======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
17 17
You should review and manually fix permissions on existing intermediate-level
18 18
directories.
19 19 20 +
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
21 +
===============================================================================================================
22 + 23 +
On Python 3.7+, the intermediate-level directories of the file system cache had
24 +
the system's standard umask rather than ``0o077`` (no group or others
25 +
permissions).
26 + 20 27
Bugfixes
21 28
========
22 29
@@ -6,12 +6,13 @@
6 6
import pickle
7 7
import re
8 8
import shutil
9 +
import sys
9 10
import tempfile
10 11
import threading
11 12
import time
12 13
import unittest
13 14
from pathlib import Path
14 -
from unittest import mock
15 +
from unittest import mock, skipIf
15 16 16 17
from django.conf import settings
17 18
from django.core import management, signals
@@ -1466,6 +1467,28 @@ def test_get_ignores_enoent(self):
1466 1467
# Returns the default instead of erroring.
1467 1468
self.assertEqual(cache.get('foo', 'baz'), 'baz')
1468 1469 1470 +
@skipIf(
1471 +
sys.platform == 'win32',
1472 +
'Windows only partially supports umasks and chmod.',
1473 +
)
1474 +
def test_cache_dir_permissions(self):
1475 +
os.rmdir(self.dirname)
1476 +
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
1477 +
for cache_params in settings.CACHES.values():
1478 +
cache_params['LOCATION'] = dir_path
1479 +
setting_changed.send(self.__class__, setting='CACHES', enter=False)
1480 +
cache.set('foo', 'bar')
1481 +
self.assertIs(dir_path.exists(), True)
1482 +
tests = [
1483 +
dir_path,
1484 +
dir_path.parent,
1485 +
dir_path.parent.parent,
1486 +
]
1487 +
for directory in tests:
1488 +
with self.subTest(directory=directory):
1489 +
dir_mode = directory.stat().st_mode & 0o777
1490 +
self.assertEqual(dir_mode, 0o700)
1491 + 1469 1492
def test_get_does_not_ignore_non_filenotfound_exceptions(self):
1470 1493
with mock.patch('builtins.open', side_effect=OSError):
1471 1494
with self.assertRaises(OSError):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4