+38
-2
lines changedFilter options
+38
-2
lines changed Original file line number Diff line number Diff line change
@@ -114,10 +114,15 @@ def _cull(self):
114 114 115 115
def _createdir(self):
116 116
if not os.path.exists(self._dir):
117 +
# Set the umask because os.makedirs() doesn't apply the "mode" argument
118 +
# to intermediate-level directories.
119 +
old_umask = os.umask(0o077)
117 120
try:
118 121
os.makedirs(self._dir, 0o700)
119 122
except FileExistsError:
120 123
pass
124 +
finally:
125 +
os.umask(old_umask)
121 126 122 127
def _key_to_file(self, key, version=None):
123 128
"""
@@ -4,7 +4,7 @@ Django 2.2.16 release notes
4 4 5 5
*Expected September 1, 2020*
6 6 7 -
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
7 +
Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
8 8 9 9
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
10 10
======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
17 17
You should review and manually fix permissions on existing intermediate-level
18 18
directories.
19 19 20 +
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
21 +
===============================================================================================================
22 + 23 +
On Python 3.7+, the intermediate-level directories of the file system cache had
24 +
the system's standard umask rather than ``0o077`` (no group or others
25 +
permissions).
26 + 20 27
Bugfixes
21 28
========
22 29
@@ -6,11 +6,13 @@
6 6
import pickle
7 7
import re
8 8
import shutil
9 +
import sys
9 10
import tempfile
10 11
import threading
11 12
import time
12 13
import unittest
13 -
from unittest import mock
14 +
from pathlib import Path
15 +
from unittest import mock, skipIf
14 16 15 17
from django.conf import settings
16 18
from django.core import management, signals
@@ -1430,6 +1432,28 @@ def test_get_ignores_enoent(self):
1430 1432
# Returns the default instead of erroring.
1431 1433
self.assertEqual(cache.get('foo', 'baz'), 'baz')
1432 1434 1435 +
@skipIf(
1436 +
sys.platform == 'win32',
1437 +
'Windows only partially supports umasks and chmod.',
1438 +
)
1439 +
def test_cache_dir_permissions(self):
1440 +
os.rmdir(self.dirname)
1441 +
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
1442 +
for cache_params in settings.CACHES.values():
1443 +
cache_params['LOCATION'] = str(dir_path)
1444 +
setting_changed.send(self.__class__, setting='CACHES', enter=False)
1445 +
cache.set('foo', 'bar')
1446 +
self.assertIs(dir_path.exists(), True)
1447 +
tests = [
1448 +
dir_path,
1449 +
dir_path.parent,
1450 +
dir_path.parent.parent,
1451 +
]
1452 +
for directory in tests:
1453 +
with self.subTest(directory=directory):
1454 +
dir_mode = directory.stat().st_mode & 0o777
1455 +
self.assertEqual(dir_mode, 0o700)
1456 + 1433 1457
def test_get_does_not_ignore_non_filenotfound_exceptions(self):
1434 1458
with mock.patch('builtins.open', side_effect=IOError):
1435 1459
with self.assertRaises(IOError):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4