Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.

2025-10-24 06:06:09 +00:00 · 2020-08-21 12:43:45 +02:00
parent 8d7271578d
commit 1853724aca
5 changed files with 55 additions and 5 deletions
--- a/tests/cache/tests.py
+++ b/tests/cache/tests.py
@@ -6,12 +6,13 @@ import os
 import pickle
 import re
 import shutil
+import sys
 import tempfile
 import threading
 import time
 import unittest
 from pathlib import Path
-from unittest import mock
+from unittest import mock, skipIf

 from django.conf import settings
 from django.core import management, signals
@@ -1494,6 +1495,28 @@ class FileBasedCacheTests(BaseCacheTests, TestCase):
        # Returns the default instead of erroring.
        self.assertEqual(cache.get('foo', 'baz'), 'baz')

+    @skipIf(
+        sys.platform == 'win32',
+        'Windows only partially supports umasks and chmod.',
+    )
+    def test_cache_dir_permissions(self):
+        os.rmdir(self.dirname)
+        dir_path = Path(self.dirname) / 'nested' / 'filebasedcache'
+        for cache_params in settings.CACHES.values():
+            cache_params['LOCATION'] = dir_path
+        setting_changed.send(self.__class__, setting='CACHES', enter=False)
+        cache.set('foo', 'bar')
+        self.assertIs(dir_path.exists(), True)
+        tests = [
+            dir_path,
+            dir_path.parent,
+            dir_path.parent.parent,
+        ]
+        for directory in tests:
+            with self.subTest(directory=directory):
+                dir_mode = directory.stat().st_mode & 0o777
+                self.assertEqual(dir_mode, 0o700)
+
    def test_get_does_not_ignore_non_filenotfound_exceptions(self):
        with mock.patch('builtins.open', side_effect=OSError):
            with self.assertRaises(OSError):