innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

[3.0.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+. 

Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
This commit is contained in:
Mariusz Felisiak 2020-08-21 12:43:45 +02:00
parent 08892bffd2
commit cdb367c92a
4 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
django/core/cache/backends/filebased.py vendored
View File

@ -113,7 +113,13 @@ class FileBasedCache(BaseCache):
self._delete(fname) self._delete(fname)
def _createdir(self): def _createdir(self):
os.makedirs(self._dir, 0o700, exist_ok=True) # Set the umask because os.makedirs() doesn't apply the "mode" argument
# to intermediate-level directories.
old_umask = os.umask(0o077)
try:
os.makedirs(self._dir, 0o700, exist_ok=True)
finally:
os.umask(old_umask)
def _key_to_file(self, key, version=None): def _key_to_file(self, key, version=None):
""" """

9
docs/releases/2.2.16.txt
View File

@ -4,7 +4,7 @@ Django 2.2.16 release notes
*Expected September 1, 2020* *Expected September 1, 2020*
Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15. Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
====================================================================================== ======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level You should review and manually fix permissions on existing intermediate-level
directories. directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes Bugfixes
======== ========

9
docs/releases/3.0.10.txt
View File

@ -4,7 +4,7 @@ Django 3.0.10 release notes
*Expected September 1, 2020* *Expected September 1, 2020*
Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9. Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
====================================================================================== ======================================================================================
@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
You should review and manually fix permissions on existing intermediate-level You should review and manually fix permissions on existing intermediate-level
directories. directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).
Bugfixes Bugfixes
======== ========

26
tests/cache/tests.py vendored
View File

@ -6,11 +6,13 @@ import os
import pickle import pickle
import re import re
import shutil import shutil
import sys
import tempfile import tempfile
import threading import threading
import time import time
import unittest import unittest
from unittest import mock from pathlib import Path
from unittest import mock, skipIf
from django.conf import settings from django.conf import settings
from django.core import management, signals from django.core import management, signals
@ -1443,6 +1445,28 @@ class FileBasedCacheTests(BaseCacheTests, TestCase):
# Returns the default instead of erroring. # Returns the default instead of erroring.
self.assertEqual(cache.get('foo', 'baz'), 'baz') self.assertEqual(cache.get('foo', 'baz'), 'baz')
@skipIf(
sys.platform == 'win32',
'Windows only partially supports umasks and chmod.',
)
def test_cache_dir_permissions(self):
os.rmdir(self.dirname)
dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
for cache_params in settings.CACHES.values():
cache_params['LOCATION'] = dir_path
setting_changed.send(self.__class__, setting='CACHES', enter=False)
cache.set('foo', 'bar')
self.assertIs(dir_path.exists(), True)
tests = [
dir_path,
dir_path.parent,
dir_path.parent.parent,
]
for directory in tests:
with self.subTest(directory=directory):
dir_mode = directory.stat().st_mode & 0o777
self.assertEqual(dir_mode, 0o700)
def test_get_does_not_ignore_non_filenotfound_exceptions(self): def test_get_does_not_ignore_non_filenotfound_exceptions(self):
with mock.patch('builtins.open', side_effect=OSError): with mock.patch('builtins.open', side_effect=OSError):
with self.assertRaises(OSError): with self.assertRaises(OSError):