diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-01-21 18:03:20 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-03-03 09:12:00 -0300 |
| commit | 264d5c70ef3281a8869cb2ad45a3a52d5adbe790 (patch) | |
| tree | e8185425adac84c8e3b109a1109607d841cb3176 /django/core/files/storage/filesystem.py | |
| parent | b1444d9acf43db9de96e0da2b4737ad56af0eb76 (diff) | |
[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
Diffstat (limited to 'django/core/files/storage/filesystem.py')
| -rw-r--r-- | django/core/files/storage/filesystem.py | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/django/core/files/storage/filesystem.py b/django/core/files/storage/filesystem.py index 9592bff008..867f2e477c 100644 --- a/django/core/files/storage/filesystem.py +++ b/django/core/files/storage/filesystem.py @@ -6,7 +6,7 @@ from django.conf import settings from django.core.files import File, locks from django.core.files.move import file_move_safe from django.core.signals import setting_changed -from django.utils._os import safe_join +from django.utils._os import safe_join, safe_makedirs from django.utils.deconstruct import deconstructible from django.utils.encoding import filepath_to_uri from django.utils.functional import cached_property @@ -72,15 +72,10 @@ class FileSystemStorage(Storage, StorageSettingsMixin): directory = os.path.dirname(full_path) try: if self.directory_permissions_mode is not None: - # Set the umask because os.makedirs() doesn't apply the "mode" + # Workaround because os.makedirs() doesn't apply the "mode" # argument to intermediate-level directories. - old_umask = os.umask(0o777 & ~self.directory_permissions_mode) - try: - os.makedirs( - directory, self.directory_permissions_mode, exist_ok=True - ) - finally: - os.umask(old_umask) + # https://github.com/python/cpython/issues/86533 + safe_makedirs(directory, self.directory_permissions_mode, exist_ok=True) else: os.makedirs(directory, exist_ok=True) except FileExistsError: |