diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-21 12:43:45 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-25 11:09:40 +0200 |
| commit | a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (patch) | |
| tree | 983d19b0902cde5d010ff6905cfe7d75ce7f07f9 /django | |
| parent | 375657a71c889c588f723469bd868bd1d40c369f (diff) | |
[2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/cache/backends/filebased.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py index ca8b006577..012b54e8cf 100644 --- a/django/core/cache/backends/filebased.py +++ b/django/core/cache/backends/filebased.py @@ -114,10 +114,15 @@ class FileBasedCache(BaseCache): def _createdir(self): if not os.path.exists(self._dir): + # Set the umask because os.makedirs() doesn't apply the "mode" argument + # to intermediate-level directories. + old_umask = os.umask(0o077) try: os.makedirs(self._dir, 0o700) except FileExistsError: pass + finally: + os.umask(old_umask) def _key_to_file(self, key, version=None): """ |