Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.

This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.

This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Refs CVE-2020-24583 and #31921.

Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.

1 files changed, 57 insertions, 1 deletions

diff --git a/django/utils/_os.py b/django/utils/_os.py
index 5cd8c566a8..f2969c5e00 100644
--- a/django/utils/_os.py
+++ b/django/utils/_os.py
@@ -1,11 +1,67 @@
 import os
 import tempfile
-from os.path import abspath, dirname, join, normcase, sep
+from os.path import abspath, curdir, dirname, join, normcase, sep
 from pathlib import Path
 
 from django.core.exceptions import SuspiciousFileOperation
 
 
+# Copied verbatim (minus `os.path` fixes) from:
+# https://github.com/python/cpython/pull/23901.
+# Python versions >= PY315 may include this fix, so periodic checks are needed
+# to remove this vendored copy of `makedirs` once solved upstream.
+def makedirs(name, mode=0o777, exist_ok=False, *, parent_mode=None):
+    """makedirs(name [, mode=0o777][, exist_ok=False][, parent_mode=None])
+
+    Super-mkdir; create a leaf directory and all intermediate ones.  Works like
+    mkdir, except that any intermediate path segment (not just the rightmost)
+    will be created if it does not exist. If the target directory already
+    exists, raise an OSError if exist_ok is False. Otherwise no exception is
+    raised.  If parent_mode is not None, it will be used as the mode for any
+    newly-created, intermediate-level directories. Otherwise, intermediate
+    directories are created with the default permissions (respecting umask).
+    This is recursive.
+
+    """
+    head, tail = os.path.split(name)
+    if not tail:
+        head, tail = os.path.split(head)
+    if head and tail and not os.path.exists(head):
+        try:
+            if parent_mode is not None:
+                makedirs(
+                    head, mode=parent_mode, exist_ok=exist_ok, parent_mode=parent_mode
+                )
+            else:
+                makedirs(head, exist_ok=exist_ok)
+        except FileExistsError:
+            # Defeats race condition when another thread created the path
+            pass
+        cdir = curdir
+        if isinstance(tail, bytes):
+            cdir = bytes(curdir, "ASCII")
+        if tail == cdir:  # xxx/newdir/. exists if xxx/newdir exists
+            return
+    try:
+        os.mkdir(name, mode)
+        # PY315: The call to `chmod()` is not in the CPython proposed code.
+        # Apply `chmod()` after `mkdir()` to enforce the exact requested
+        # permissions, since the kernel masks the mode argument with the
+        # process umask. This guarantees consistent directory permissions
+        # without mutating global umask state.
+        os.chmod(name, mode)
+    except OSError:
+        # Cannot rely on checking for EEXIST, since the operating system
+        # could give priority to other errors like EACCES or EROFS
+        if not exist_ok or not os.path.isdir(name):
+            raise
+
+
+def safe_makedirs(name, mode=0o777, exist_ok=False):
+    """Create directories recursively with explicit `mode` on each level."""
+    makedirs(name=name, mode=mode, exist_ok=exist_ok, parent_mode=mode)
+
+
 def safe_join(base, *paths):
     """
     Join one or more path components to the base path component intelligently.