[6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.

Backport of 604695cddb41981b84a8d976d1f4c74c39e112b0 from main.
author: Shai Berger <shai@platonix.com> 2026-04-28 11:59:06 +0300
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-28 14:16:53 -0400
commit: 3cdec6454fb86e8d03a06944c0c68025733ed93f (patch)
tree: 81e85788c409af10b8af0c4dcbd0cb6a203f8a3b
parent: 5dd5c70cf1056e8e04badb687f773e8f16bba257 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 3d0761dfc6..87f89b1abb 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1641,6 +1641,12 @@ when using the :djadmin:`collectstatic` management command. See
     modes must be specified. If you try to use ``644``, you'll get totally
     incorrect behavior.
 
+.. admonition:: A numeric value trumps umask
+
+    When this setting has a numeric value (one you've set yourself, or the
+    default ``0o644``), this value will be used as is, and a umask will not
+    be applied to it. The umask will apply only if this setting is ``None``.
+
 .. setting:: FILE_UPLOAD_TEMP_DIR
 
 ``FILE_UPLOAD_TEMP_DIR``
author	Shai Berger <shai@platonix.com>	2026-04-28 11:59:06 +0300
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-28 14:16:53 -0400
commit	3cdec6454fb86e8d03a06944c0c68025733ed93f (patch)
tree	81e85788c409af10b8af0c4dcbd0cb6a203f8a3b
parent	5dd5c70cf1056e8e04badb687f773e8f16bba257 (diff)