Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.

This commit is contained in:
Mariusz Felisiak 2020-08-21 12:43:45 +02:00 committed by Carlton Gibson
parent 8d7271578d
commit 1853724aca
5 changed files with 55 additions and 5 deletions

View File

@ -114,7 +114,13 @@ class FileBasedCache(BaseCache):
self._delete(fname) self._delete(fname)
def _createdir(self): def _createdir(self):
# Set the umask because os.makedirs() doesn't apply the "mode" argument
# to intermediate-level directories.
old_umask = os.umask(0o077)
try:
os.makedirs(self._dir, 0o700, exist_ok=True) os.makedirs(self._dir, 0o700, exist_ok=True)
finally:
os.umask(old_umask)
def _key_to_file(self, key, version=None): def _key_to_file(self, key, version=None):
""" """

View File

@ -4,7 +4,7 @@ Django 2.2.16 release notes
*Expected September 1, 2020* *Expected September 1, 2020*
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15. Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
====================================================================================== ======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level You should review and manually fix permissions on existing intermediate-level
directories. directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes Bugfixes
======== ========

View File

@ -4,7 +4,7 @@ Django 3.0.10 release notes
*Expected September 1, 2020* *Expected September 1, 2020*
Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9. Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
====================================================================================== ======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level You should review and manually fix permissions on existing intermediate-level
directories. directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes Bugfixes
======== ========

View File

@ -4,7 +4,7 @@ Django 3.1.1 release notes
*Expected September 1, 2020* *Expected September 1, 2020*
Django 3.1.1 fixes a security issue and several bugs in 3.1. Django 3.1.1 fixes two security issues and several bugs in 3.1.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
====================================================================================== ======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level You should review and manually fix permissions on existing intermediate-level
directories. directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes Bugfixes
======== ========

25
tests/cache/tests.py vendored
View File

@ -6,12 +6,13 @@ import os
import pickle import pickle
import re import re
import shutil import shutil
import sys
import tempfile import tempfile
import threading import threading
import time import time
import unittest import unittest
from pathlib import Path from pathlib import Path
from unittest import mock from unittest import mock, skipIf
from django.conf import settings from django.conf import settings
from django.core import management, signals from django.core import management, signals
@ -1494,6 +1495,28 @@ class FileBasedCacheTests(BaseCacheTests, TestCase):
# Returns the default instead of erroring. # Returns the default instead of erroring.
self.assertEqual(cache.get('foo', 'baz'), 'baz') self.assertEqual(cache.get('foo', 'baz'), 'baz')
@skipIf(
sys.platform == 'win32',
'Windows only partially supports umasks and chmod.',
)
def test_cache_dir_permissions(self):
os.rmdir(self.dirname)
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
for cache_params in settings.CACHES.values():
cache_params['LOCATION'] = dir_path
setting_changed.send(self.__class__, setting='CACHES', enter=False)
cache.set('foo', 'bar')
self.assertIs(dir_path.exists(), True)
tests = [
dir_path,
dir_path.parent,
dir_path.parent.parent,
]
for directory in tests:
with self.subTest(directory=directory):
dir_mode = directory.stat().st_mode & 0o777
self.assertEqual(dir_mode, 0o700)
def test_get_does_not_ignore_non_filenotfound_exceptions(self): def test_get_does_not_ignore_non_filenotfound_exceptions(self):
with mock.patch('builtins.open', side_effect=OSError): with mock.patch('builtins.open', side_effect=OSError):
with self.assertRaises(OSError): with self.assertRaises(OSError):