Opened 4 years ago

Closed 4 years ago

#31921 closed Bug (fixed)

Python 3.7: new behavior of os.makedirs breaks FileSystemStorage permissions on intermediate directories

Reported by: WhiteSage Owned by: Mariusz Felisiak
Component: File uploads/storage Version: 2.2
Severity: Release blocker Keywords: python3.7 makedirs permissions
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

From the python os library documentation (https://docs.python.org/3/library/os.html), regarding os.makedirs:

Changed in version 3.7: The mode argument no longer affects the file permission bits of newly-created intermediate-level directories.

As FileSystemStorage._save() directly calls os.makedirs all intermediate folders will be created with 777 permissions, ignoring the directory_permissions_mode member field.

Steps to reproduce:

django-admin startproject bugreport 

Append to settings.py

STATIC_ROOT = BASE_DIR / 'static'

FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o750

Call

python manage.py collectstatic

Intermediate folders such as static/admin will have permissions 777.

Note: python version at least 3.7 is required!

Could have security implications when running on a production server.

Change History (4)

comment:1 by Mariusz Felisiak, 4 years ago

Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted
Version: 3.12.2

Thanks.

Security issues should be reported privately via security@…

comment:2 by Claude Paroz, 4 years ago

It is not true that intermediate folders will have permissions 777. The current user umask will still apply, so on my system, intermediate directories are created with 755 permissions.

comment:3 by Mariusz Felisiak, 4 years ago

Owner: changed from nobody to Mariusz Felisiak
Status: newassigned

comment:4 by Carlton Gibson, 4 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.
Back to Top