diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-21 11:44:46 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-09-01 09:17:23 +0200 |
commit | 8d7271578d7b153435b40fe40236ebec43cbf1b9 (patch) | |
tree | 8ff6135d4131b005510b2197e537596d5a9d9fca /tests/file_storage | |
parent | 2bc38bc7cae002f949157d95e3f0c19ea6b8ca5c (diff) | |
download | django-8d7271578d7b153435b40fe40236ebec43cbf1b9.tar.gz |
Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
Thanks WhiteSage for the report.
Diffstat (limited to 'tests/file_storage')
-rw-r--r-- | tests/file_storage/tests.py | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/tests/file_storage/tests.py b/tests/file_storage/tests.py index 8f280ad13c..4bac3ca11d 100644 --- a/tests/file_storage/tests.py +++ b/tests/file_storage/tests.py @@ -972,16 +972,19 @@ class FileStoragePermissions(unittest.TestCase): @override_settings(FILE_UPLOAD_DIRECTORY_PERMISSIONS=0o765) def test_file_upload_directory_permissions(self): self.storage = FileSystemStorage(self.storage_dir) - name = self.storage.save("the_directory/the_file", ContentFile("data")) - dir_mode = os.stat(os.path.dirname(self.storage.path(name)))[0] & 0o777 - self.assertEqual(dir_mode, 0o765) + name = self.storage.save('the_directory/subdir/the_file', ContentFile('data')) + file_path = Path(self.storage.path(name)) + self.assertEqual(file_path.parent.stat().st_mode & 0o777, 0o765) + self.assertEqual(file_path.parent.parent.stat().st_mode & 0o777, 0o765) @override_settings(FILE_UPLOAD_DIRECTORY_PERMISSIONS=None) def test_file_upload_directory_default_permissions(self): self.storage = FileSystemStorage(self.storage_dir) - name = self.storage.save("the_directory/the_file", ContentFile("data")) - dir_mode = os.stat(os.path.dirname(self.storage.path(name)))[0] & 0o777 - self.assertEqual(dir_mode, 0o777 & ~self.umask) + name = self.storage.save('the_directory/subdir/the_file', ContentFile('data')) + file_path = Path(self.storage.path(name)) + expected_mode = 0o777 & ~self.umask + self.assertEqual(file_path.parent.stat().st_mode & 0o777, expected_mode) + self.assertEqual(file_path.parent.parent.stat().st_mode & 0o777, expected_mode) class FileStoragePathParsing(SimpleTestCase): |