[3.0.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.

Thanks WhiteSage for the report. Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-21 11:44:46 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-25 10:43:50 +0200
commit: 08892bffd275c79ee1f8f67639eb170aaaf1181e (patch)
tree: 5a88bd55785ee497b0613417a4f2eb30017c7203 /tests/file_storage/tests.py
parent: db8b935730002f2cff6df957e8adab9561072834 (diff)
1 files changed, 10 insertions, 6 deletions
diff --git a/tests/file_storage/tests.py b/tests/file_storage/tests.py
index 1c4176014c..e2a1d06b5d 100644
--- a/tests/file_storage/tests.py
+++ b/tests/file_storage/tests.py
@@ -7,6 +7,7 @@ import time
 import unittest
 from datetime import datetime, timedelta
 from io import StringIO
+from pathlib import Path
 from urllib.request import urlopen
 
 from django.core.cache import cache
@@ -910,16 +911,19 @@ class FileStoragePermissions(unittest.TestCase):
     @override_settings(FILE_UPLOAD_DIRECTORY_PERMISSIONS=0o765)
     def test_file_upload_directory_permissions(self):
         self.storage = FileSystemStorage(self.storage_dir)
-        name = self.storage.save("the_directory/the_file", ContentFile("data"))
-        dir_mode = os.stat(os.path.dirname(self.storage.path(name)))[0] & 0o777
-        self.assertEqual(dir_mode, 0o765)
+        name = self.storage.save('the_directory/subdir/the_file', ContentFile('data'))
+        file_path = Path(self.storage.path(name))
+        self.assertEqual(file_path.parent.stat().st_mode & 0o777, 0o765)
+        self.assertEqual(file_path.parent.parent.stat().st_mode & 0o777, 0o765)
 
     @override_settings(FILE_UPLOAD_DIRECTORY_PERMISSIONS=None)
     def test_file_upload_directory_default_permissions(self):
         self.storage = FileSystemStorage(self.storage_dir)
-        name = self.storage.save("the_directory/the_file", ContentFile("data"))
-        dir_mode = os.stat(os.path.dirname(self.storage.path(name)))[0] & 0o777
-        self.assertEqual(dir_mode, 0o777 & ~self.umask)
+        name = self.storage.save('the_directory/subdir/the_file', ContentFile('data'))
+        file_path = Path(self.storage.path(name))
+        expected_mode = 0o777 & ~self.umask
+        self.assertEqual(file_path.parent.stat().st_mode & 0o777, expected_mode)
+        self.assertEqual(file_path.parent.parent.stat().st_mode & 0o777, expected_mode)
 
 
 class FileStoragePathParsing(SimpleTestCase):
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-21 11:44:46 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-25 10:43:50 +0200
commit	08892bffd275c79ee1f8f67639eb170aaaf1181e (patch)
tree	5a88bd55785ee497b0613417a4f2eb30017c7203 /tests/file_storage/tests.py
parent	db8b935730002f2cff6df957e8adab9561072834 (diff)