[5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.

This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.

This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Refs CVE-2020-24583 and #31921.

Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.

Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.

1 files changed, 4 insertions, 6 deletions

diff --git a/django/core/cache/backends/filebased.py b/django/core/cache/backends/filebased.py
index 862a8b57d9..9f2ad48ac8 100644
--- a/django/core/cache/backends/filebased.py
+++ b/django/core/cache/backends/filebased.py
@@ -12,6 +12,7 @@ from hashlib import md5
 from django.core.cache.backends.base import DEFAULT_TIMEOUT, BaseCache
 from django.core.files import locks
 from django.core.files.move import file_move_safe
+from django.utils._os import safe_makedirs
 
 
 class FileBasedCache(BaseCache):
@@ -115,13 +116,10 @@ class FileBasedCache(BaseCache):
             self._delete(fname)
 
     def _createdir(self):
-        # Set the umask because os.makedirs() doesn't apply the "mode" argument
+        # Workaround because os.makedirs() doesn't apply the "mode" argument
         # to intermediate-level directories.
-        old_umask = os.umask(0o077)
-        try:
-            os.makedirs(self._dir, 0o700, exist_ok=True)
-        finally:
-            os.umask(old_umask)
+        # https://github.com/python/cpython/issues/86533
+        safe_makedirs(self._dir, mode=0o700, exist_ok=True)
 
     def _key_to_file(self, key, version=None):
         """