RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554 below:

[3.0.x] Fixed CVE-2020-24584 -- Fixed permission escalation in interm… · django/django@cdb367c · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+48

-4

lines changed

Filter options

django/core/cache/backends

Expand file treeCollapse file tree 4 files changed

+48

-4

lines changed Original file line number Diff line number Diff line change


 @@ -113,7 +113,13 @@ def _cull(self):

113 113


 self._delete(fname)

114 114 115 115


 def _createdir(self):

116

-
 os.makedirs(self._dir, 0o700, exist_ok=True)

116

+
 # Set the umask because os.makedirs() doesn't apply the "mode" argument

117

+
 # to intermediate-level directories.

118

+
 old_umask = os.umask(0o077)

119

+
 try:

120

+
 os.makedirs(self._dir, 0o700, exist_ok=True)

121

+
 finally:

122

+
 os.umask(old_umask)

117 123 118 124


 def _key_to_file(self, key, version=None):

119 125

"""

Original file line number Diff line number Diff line change


 @@ -4,7 +4,7 @@ Django 2.2.16 release notes

4 4 5 5


 *Expected September 1, 2020*

6 6 7

-
 Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.

7

+
 Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.

8 8 9 9


 CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

10 10


 ======================================================================================


 @@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the

17 17


 You should review and manually fix permissions on existing intermediate-level

18 18


 directories.

19 19 20

+
 CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

21

+
 ===============================================================================================================

22 + 23

+
 On Python 3.7+, the intermediate-level directories of the file system cache had

24

+
 the system's standard umask rather than ``0o077`` (no group or others

25

+
 permissions).

26 + 20 27


 Bugfixes

21 28


 ========

22 29 Original file line number Diff line number Diff line change


 @@ -4,7 +4,7 @@ Django 3.0.10 release notes

4 4 5 5


 *Expected September 1, 2020*

6 6 7

-
 Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9.

7

+
 Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.

8 8 9 9


 CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

10 10


 ======================================================================================


 @@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the

17 17


 You should review and manually fix permissions on existing intermediate-level

18 18


 directories.

19 19 20

+
 CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

21

+
 ===============================================================================================================

22 + 23

+
 On Python 3.7+, the intermediate-level directories of the file system cache had

24

+
 the system's standard umask rather than ``0o077`` (no group or others

25

+
 permissions).

26 + 20 27


 Bugfixes

21 28


 ========

22 29 Original file line number Diff line number Diff line change


 @@ -6,11 +6,13 @@

6 6


 import pickle

7 7


 import re

8 8


 import shutil

9

+
 import sys

9 10


 import tempfile

10 11


 import threading

11 12


 import time

12 13


 import unittest

13

-
 from unittest import mock

14

+
 from pathlib import Path

15

+
 from unittest import mock, skipIf

14 16 15 17


 from django.conf import settings

16 18


 from django.core import management, signals


 @@ -1443,6 +1445,28 @@ def test_get_ignores_enoent(self):

1443 1445


 # Returns the default instead of erroring.

1444 1446


 self.assertEqual(cache.get('foo', 'baz'), 'baz')

1445 1447 1448

+
 @skipIf(

1449

+
  sys.platform == 'win32',

1450

+
  'Windows only partially supports umasks and chmod.',

1451

+
  )

1452

+
 def test_cache_dir_permissions(self):

1453

+
 os.rmdir(self.dirname)

1454

+
 dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'

1455

+
 for cache_params in settings.CACHES.values():

1456

+
 cache_params['LOCATION'] = dir_path

1457

+
 setting_changed.send(self.__class__, setting='CACHES', enter=False)

1458

+
 cache.set('foo', 'bar')

1459

+
 self.assertIs(dir_path.exists(), True)

1460

+
 tests = [

1461

+
 dir_path,

1462

+
 dir_path.parent,

1463

+
 dir_path.parent.parent,

1464

+
 ]

1465

+
 for directory in tests:

1466

+
 with self.subTest(directory=directory):

1467

+
 dir_mode = directory.stat().st_mode & 0o777

1468

+
 self.assertEqual(dir_mode, 0o700)

1469 + 1446 1470


 def test_get_does_not_ignore_non_filenotfound_exceptions(self):

1447 1471


 with mock.patch('builtins.open', side_effect=OSError):

1448 1472


 with self.assertRaises(OSError):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4