id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 36298 file_move_safe with allow_overwrite=True does not truncate previous file when there is an OSError error on rename Sarah Boyce Sarah Boyce "Very similar to #36191 We are missing `os.O_TRUNC` in `django.core.files.move.file_move_safe()` Regression test: {{{#!diff --- a/tests/files/tests.py +++ b/tests/files/tests.py @@ -496,6 +496,28 @@ class FileMoveSafeTests(unittest.TestCase): os.close(handle_b) os.close(handle_c) + def test_file_move_permission_error_truncate(self): + with tempfile.NamedTemporaryFile(delete=False) as src: + src.write(b""content"") + src_name = src.name + + with tempfile.NamedTemporaryFile(delete=False) as dest: + dest.write(b""This is a longer content."") + dest_name = dest.name + + try: + with mock.patch(""django.core.files.move.os.rename"", side_effect=OSError()): + file_move_safe(src_name, dest_name, allow_overwrite=True) + + with open(dest_name, ""rb"") as f: + content = f.read() + + self.assertEqual(content, b""content"") + finally: + os.remove(dest_name) + if os.path.exists(src_name): + os.remove(src_name) + class SpooledTempTests(unittest.TestCase): }}} Technically this issue has existed for a while. However: > Security fixes and data loss bugs will be applied to the current main branch, the last two feature release branches, and any other supported long-term support release branches https://docs.djangoproject.com/en/5.2/internals/release-process/#supported-versions I think there is an angle that this is a ""Data loss"" bug as the integrity of uploads is impacted (in which case, we should fix in main, 5.2, 5.1, 4.2). Hence marking as a release blocker." Bug closed File uploads/storage 5.2 Release blocker fixed Baptiste Mispelon Josh Schneier Ready for checkin 1 0 0 0 0 0