Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.
This commit is contained in:
parent
8d7271578d
commit
1853724aca
|
@ -114,7 +114,13 @@ class FileBasedCache(BaseCache):
|
||||||
self._delete(fname)
|
self._delete(fname)
|
||||||
|
|
||||||
def _createdir(self):
|
def _createdir(self):
|
||||||
|
# Set the umask because os.makedirs() doesn't apply the "mode" argument
|
||||||
|
# to intermediate-level directories.
|
||||||
|
old_umask = os.umask(0o077)
|
||||||
|
try:
|
||||||
os.makedirs(self._dir, 0o700, exist_ok=True)
|
os.makedirs(self._dir, 0o700, exist_ok=True)
|
||||||
|
finally:
|
||||||
|
os.umask(old_umask)
|
||||||
|
|
||||||
def _key_to_file(self, key, version=None):
|
def _key_to_file(self, key, version=None):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -4,7 +4,7 @@ Django 2.2.16 release notes
|
||||||
|
|
||||||
*Expected September 1, 2020*
|
*Expected September 1, 2020*
|
||||||
|
|
||||||
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
|
Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
|
||||||
|
|
||||||
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
||||||
======================================================================================
|
======================================================================================
|
||||||
|
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
|
||||||
You should review and manually fix permissions on existing intermediate-level
|
You should review and manually fix permissions on existing intermediate-level
|
||||||
directories.
|
directories.
|
||||||
|
|
||||||
|
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
|
||||||
|
===============================================================================================================
|
||||||
|
|
||||||
|
On Python 3.7+, the intermediate-level directories of the file system cache had
|
||||||
|
the system's standard umask rather than ``0o077`` (no group or others
|
||||||
|
permissions).
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ Django 3.0.10 release notes
|
||||||
|
|
||||||
*Expected September 1, 2020*
|
*Expected September 1, 2020*
|
||||||
|
|
||||||
Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9.
|
Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.
|
||||||
|
|
||||||
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
||||||
======================================================================================
|
======================================================================================
|
||||||
|
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
|
||||||
You should review and manually fix permissions on existing intermediate-level
|
You should review and manually fix permissions on existing intermediate-level
|
||||||
directories.
|
directories.
|
||||||
|
|
||||||
|
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
|
||||||
|
===============================================================================================================
|
||||||
|
|
||||||
|
On Python 3.7+, the intermediate-level directories of the file system cache had
|
||||||
|
the system's standard umask rather than ``0o077`` (no group or others
|
||||||
|
permissions).
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ Django 3.1.1 release notes
|
||||||
|
|
||||||
*Expected September 1, 2020*
|
*Expected September 1, 2020*
|
||||||
|
|
||||||
Django 3.1.1 fixes a security issue and several bugs in 3.1.
|
Django 3.1.1 fixes two security issues and several bugs in 3.1.
|
||||||
|
|
||||||
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
|
||||||
======================================================================================
|
======================================================================================
|
||||||
|
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
|
||||||
You should review and manually fix permissions on existing intermediate-level
|
You should review and manually fix permissions on existing intermediate-level
|
||||||
directories.
|
directories.
|
||||||
|
|
||||||
|
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
|
||||||
|
===============================================================================================================
|
||||||
|
|
||||||
|
On Python 3.7+, the intermediate-level directories of the file system cache had
|
||||||
|
the system's standard umask rather than ``0o077`` (no group or others
|
||||||
|
permissions).
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -6,12 +6,13 @@ import os
|
||||||
import pickle
|
import pickle
|
||||||
import re
|
import re
|
||||||
import shutil
|
import shutil
|
||||||
|
import sys
|
||||||
import tempfile
|
import tempfile
|
||||||
import threading
|
import threading
|
||||||
import time
|
import time
|
||||||
import unittest
|
import unittest
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from unittest import mock
|
from unittest import mock, skipIf
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.core import management, signals
|
from django.core import management, signals
|
||||||
|
@ -1494,6 +1495,28 @@ class FileBasedCacheTests(BaseCacheTests, TestCase):
|
||||||
# Returns the default instead of erroring.
|
# Returns the default instead of erroring.
|
||||||
self.assertEqual(cache.get('foo', 'baz'), 'baz')
|
self.assertEqual(cache.get('foo', 'baz'), 'baz')
|
||||||
|
|
||||||
|
@skipIf(
|
||||||
|
sys.platform == 'win32',
|
||||||
|
'Windows only partially supports umasks and chmod.',
|
||||||
|
)
|
||||||
|
def test_cache_dir_permissions(self):
|
||||||
|
os.rmdir(self.dirname)
|
||||||
|
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
|
||||||
|
for cache_params in settings.CACHES.values():
|
||||||
|
cache_params['LOCATION'] = dir_path
|
||||||
|
setting_changed.send(self.__class__, setting='CACHES', enter=False)
|
||||||
|
cache.set('foo', 'bar')
|
||||||
|
self.assertIs(dir_path.exists(), True)
|
||||||
|
tests = [
|
||||||
|
dir_path,
|
||||||
|
dir_path.parent,
|
||||||
|
dir_path.parent.parent,
|
||||||
|
]
|
||||||
|
for directory in tests:
|
||||||
|
with self.subTest(directory=directory):
|
||||||
|
dir_mode = directory.stat().st_mode & 0o777
|
||||||
|
self.assertEqual(dir_mode, 0o700)
|
||||||
|
|
||||||
def test_get_does_not_ignore_non_filenotfound_exceptions(self):
|
def test_get_does_not_ignore_non_filenotfound_exceptions(self):
|
||||||
with mock.patch('builtins.open', side_effect=OSError):
|
with mock.patch('builtins.open', side_effect=OSError):
|
||||||
with self.assertRaises(OSError):
|
with self.assertRaises(OSError):
|
||||||
|
|
Loading…
Reference in New Issue