Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.

This commit is contained in:
Mariusz Felisiak 2020-08-21 12:43:45 +02:00 committed by Carlton Gibson
parent 8d7271578d
commit 1853724aca
5 changed files with 55 additions and 5 deletions

View File

@ -114,7 +114,13 @@ class FileBasedCache(BaseCache):
self._delete(fname)
def _createdir(self):
os.makedirs(self._dir, 0o700, exist_ok=True)
# Set the umask because os.makedirs() doesn't apply the "mode" argument
# to intermediate-level directories.
old_umask = os.umask(0o077)
try:
os.makedirs(self._dir, 0o700, exist_ok=True)
finally:
os.umask(old_umask)
def _key_to_file(self, key, version=None):
"""

View File

@ -4,7 +4,7 @@ Django 2.2.16 release notes
*Expected September 1, 2020*
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level
directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes
========

View File

@ -4,7 +4,7 @@ Django 3.0.10 release notes
*Expected September 1, 2020*
Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9.
Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level
directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes
========

View File

@ -4,7 +4,7 @@ Django 3.1.1 release notes
*Expected September 1, 2020*
Django 3.1.1 fixes a security issue and several bugs in 3.1.
Django 3.1.1 fixes two security issues and several bugs in 3.1.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level
directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes
========

25
tests/cache/tests.py vendored
View File

@ -6,12 +6,13 @@ import os
import pickle
import re
import shutil
import sys
import tempfile
import threading
import time
import unittest
from pathlib import Path
from unittest import mock
from unittest import mock, skipIf
from django.conf import settings
from django.core import management, signals
@ -1494,6 +1495,28 @@ class FileBasedCacheTests(BaseCacheTests, TestCase):
# Returns the default instead of erroring.
self.assertEqual(cache.get('foo', 'baz'), 'baz')
@skipIf(
sys.platform == 'win32',
'Windows only partially supports umasks and chmod.',
)
def test_cache_dir_permissions(self):
os.rmdir(self.dirname)
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
for cache_params in settings.CACHES.values():
cache_params['LOCATION'] = dir_path
setting_changed.send(self.__class__, setting='CACHES', enter=False)
cache.set('foo', 'bar')
self.assertIs(dir_path.exists(), True)
tests = [
dir_path,
dir_path.parent,
dir_path.parent.parent,
]
for directory in tests:
with self.subTest(directory=directory):
dir_mode = directory.stat().st_mode & 0o777
self.assertEqual(dir_mode, 0o700)
def test_get_does_not_ignore_non_filenotfound_exceptions(self):
with mock.patch('builtins.open', side_effect=OSError):
with self.assertRaises(OSError):