From c36075ac1dddfa986340b1a5e15fe48833322372 Mon Sep 17 00:00:00 2001 From: christa Date: Tue, 27 Oct 2020 00:01:03 +0800 Subject: Fixed #31983 -- Added system check for file system caches location. Thanks Johannes Maron and Nick Pope for reviews. --- docs/ref/checks.txt | 4 ++++ docs/topics/cache.txt | 10 ++++++++++ 2 files changed, 14 insertions(+) (limited to 'docs') diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 56fde4198a..0ff6d36a25 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -138,6 +138,10 @@ configured: * **caches.E001**: You must define a ``'default'`` cache in your :setting:`CACHES` setting. +* **caches.W002**: Your ```` configuration might expose your cache or + lead to corruption of your data because its + :setting:`LOCATION ` matches/is inside/contains + :setting:`MEDIA_ROOT`/:setting:`STATIC_ROOT`/:setting:`STATICFILES_DIRS`. Database -------- diff --git a/docs/topics/cache.txt b/docs/topics/cache.txt index f8e86ae85f..14a257b1f4 100644 --- a/docs/topics/cache.txt +++ b/docs/topics/cache.txt @@ -293,6 +293,16 @@ above example, if your server runs as the user ``apache``, make sure the directory ``/var/tmp/django_cache`` exists and is readable and writable by the user ``apache``. +.. warning:: + + When the cache :setting:`LOCATION ` is contained within + :setting:`MEDIA_ROOT`, :setting:`STATIC_ROOT`, or + :setting:`STATICFILES_FINDERS`, sensitive data may be exposed. + + An attacker who gains access to the cache file can not only falsify HTML + content, which your site will trust, but also remotely execute arbitrary + code, as the data is serialized using :mod:`pickle`. + .. _local-memory-caching: Local-memory caching -- cgit v1.3