diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-21 11:44:46 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-25 10:43:50 +0200 |
| commit | 08892bffd275c79ee1f8f67639eb170aaaf1181e (patch) | |
| tree | 5a88bd55785ee497b0613417a4f2eb30017c7203 /django/core/files/storage.py | |
| parent | db8b935730002f2cff6df957e8adab9561072834 (diff) | |
[3.0.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
Thanks WhiteSage for the report.
Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
Diffstat (limited to 'django/core/files/storage.py')
| -rw-r--r-- | django/core/files/storage.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/django/core/files/storage.py b/django/core/files/storage.py index 4c27fce605..af70b3fa15 100644 --- a/django/core/files/storage.py +++ b/django/core/files/storage.py @@ -237,9 +237,9 @@ class FileSystemStorage(Storage): directory = os.path.dirname(full_path) try: if self.directory_permissions_mode is not None: - # os.makedirs applies the global umask, so we reset it, - # for consistency with file_permissions_mode behavior. - old_umask = os.umask(0) + # Set the umask because os.makedirs() doesn't apply the "mode" + # argument to intermediate-level directories. + old_umask = os.umask(0o777 & ~self.directory_permissions_mode) try: os.makedirs(directory, self.directory_permissions_mode, exist_ok=True) finally: |