chango.git/django/core/cache/backends/filebased.py, branch main django http://cgit.adnoto.dev/chango.git/atom?h=main 2026-03-03T12:09:32Z Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. 2026-03-03T12:09:32Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:019e44f67a8dace67b786e2818938c8691132988 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Applied Black's 2025 stable style. 2025-03-01T18:41:37Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-03-01T18:41:37Z urn:sha1:ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 https://github.com/psf/black/releases/tag/25.1.0 Refs #34900 -- Removed usage of deprecated glob.glob1(). 2024-10-28T13:10:12Z earthyoung studydatawithme@gmail.com 2024-10-28T06:59:18Z urn:sha1:555f2412cba4c5844408042e92f3bf9fa5c2392c Fixed #34233 -- Dropped support for Python 3.8 and 3.9. 2023-01-18T08:46:01Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-01-18T08:46:01Z urn:sha1:3bbe22dafcc69c5ffa79707f5a74eb1faf466e12 Fixed #34209 -- Prevented FileBasedCache.has_key() crash caused by a race condition. 2022-12-13T18:29:15Z Marti Raudsepp marti@juffo.org 2022-12-13T09:20:25Z urn:sha1:32268456d6494483f9a737dc7c32bbbf1eceab8c Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels. 2021-10-12T06:58:27Z Ade Lee alee@redhat.com 2021-08-10T22:13:54Z urn:sha1:d10c7bfe56f025ccc690721c9f13e7029b777b9c md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added. This encapsulation will pass through the usedforsecurity parameter in the case where the parameter is supported, and strip it if it is not. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Fixed #33060 -- Added BaseCache.make_and_validate_key() hook. 2021-09-07T09:59:59Z Nick Pope nick@nickpope.me.uk 2021-08-26T13:00:05Z urn:sha1:42dfa97e191d8f7ffdc0b5d9502949ef3b8ef356 This helper function reduces the amount of duplicated code and makes it easier to ensure that we always validate the keys. Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+. 2020-09-01T07:17:23Z Mariusz Felisiak felisiak.mariusz@gmail.com 2020-08-21T10:43:45Z urn:sha1:1853724acaf17ed7414d54c7d2b5563a25025a71 Fixed #30759 -- Made cache.delete() return whether it succeeded. 2019-11-14T10:14:11Z daniel a rios misterrios@gmail.com 2019-10-08T09:02:40Z urn:sha1:efc3e32d6d7fb9bb41be73b80c8607b653c1fbd6 Thanks Simon Charette for the review.