id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30004	Set default FILE_UPLOAD_PERMISSION to 0o644.	Evgeny Arshinov	Himanshu Lakhara	"Hello,

As far as I can see, the [https://docs.djangoproject.com/en/2.1/topics/http/file-uploads/ File Uploads] documentation page does not mention any permission issues.

What I would like to see is a warning that in absence of explicitly configured `FILE_UPLOAD_PERMISSIONS`, the permissions for a file uploaded to `FileSystemStorage` might not be consistent depending on whether a `MemoryUploadedFile` or a `TemporaryUploadedFile` was used for temporary storage of the uploaded data (which, with the default FILE_UPLOAD_HANDLERS, in turn depends on the uploaded data size).

The `tempfile.NamedTemporaryFile` + `os.rename` sequence causes the resulting file permissions to be 0o0600 on some systems (I experience it here on CentOS 7.4.1708 and Python 3.6.5). In all probability, the implementation of Python's built-in `tempfile` module explicitly sets such permissions for temporary files due to security considerations.

I found mentions of this issue [https://github.com/divio/django-filer/issues/1031 on GitHub], but did not manage to find any existing bug report in Django's bug tracker."	Cleanup/optimization	closed	File uploads/storage	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0