Opened 11 years ago

Closed 10 years ago

Last modified 7 years ago

#8454 closed (fixed)

uploaded file permissions vary based on handler

Reported by: Dan Watson Owned by: nobody
Component: File uploads/storage Version: master
Severity: Keywords: file upload permission mode
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


As mentioned a few times in #2070, uploaded files large enough to be streamed to a temporary file get created with a mode of 0600, as per python's tempfile.mkstemp. This causes two problems:

  1. Files uploaded into memory and saved to disk respect the umask, so uploads could have different permissions based on how big they are.
  2. If the webserver user and django user do not match (such as when running an external FastCGI process), the webserver can no longer serve uploaded files.

Attached is a patch that implements a FILE_UPLOAD_PERMISSIONS setting. Right now, it defaults to the current behavior (leaving the permissions alone).

Discussion (or lack thereof) here:

The inconsistency seems like a bug to me, so marking as 1.0.

Attachments (1)

8454.diff (2.1 KB) - added by Dan Watson 11 years ago.

Download all attachments as: .zip

Change History (7)

Changed 11 years ago by Dan Watson

Attachment: 8454.diff added

comment:1 Changed 10 years ago by anonymous

comment:2 Changed 10 years ago by Jacob

Triage Stage: UnreviewedAccepted

comment:3 Changed 10 years ago by Julien Phalip

I like the approach taken in the proposed patch. But I think it should be made clear, both in the doc and in the constant's name (FILE_UPLOAD_PERMISSIONS), that this only applies to the standard file system (FileSystemStorage).

comment:4 Changed 10 years ago by Jacob

Resolution: fixed
Status: newclosed

(In [8640]) Fixed #8454: added a FILE_UPLOAD_PERMISSIONS setting to control the permissoin of files uploaded by the built-in file storage system. Thanks, dcwatson.

comment:5 Changed 9 years ago by Simon Litchfield

See #13857

comment:6 Changed 7 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top