Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

don't make uploaded files executable by default #369

Closed
wants to merge 5 commits into from

3 participants

@lotheac

See the previous pull request #326

tests/regressiontests/file_storage/tests.py
@@ -449,6 +449,23 @@ def test_file_upload_permissions(self):
actual_mode = os.stat(self.storage.path(name))[0] & 0o777
self.assertEqual(actual_mode, 0o666)
+class FileStorageDefaultPermissions(unittest.TestCase):
+ def setUp(self):
+ self.old_perms = settings.FILE_UPLOAD_PERMISSIONS
@charettes Collaborator

You could use the django.test.utils.override_settings decorator to wrap FileStorageDefaultPermissions here.

@lotheac
lotheac added a note

Thanks. With that, I don't actually need a separate class, I can just use the existing FileStoragePermissions and decorate the test methods. Added commit 5f69e10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
tests/regressiontests/file_storage/tests.py
((14 lines not shown))
+ @override_settings(FILE_UPLOAD_PERMISSIONS=0o666)
@charettes Collaborator

We should change the tested permissions to be something else than 0o666 now that's the default one.

@lotheac
lotheac added a note

Or maybe we should test with a different umask instead? The default permission should be 0666 ~ umask, but FILE_UPLOAD_PERMISSIONS should ignore umask.

@charettes Collaborator

We could test both scenarios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@charettes
Collaborator

Is there a trac ticket attached to this PR? If that's not the case you should open one and point it to this patch since I think it's ready for check in.

@apollo13
Owner

The patch looks good so far, but it doesn't pass on Python 3:

    fd = os.open(full_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL | getattr(os, 'O_BINARY', 0), 0666)
                                                                                                  ^
SyntaxError: invalid token

Can you test on Python3 too and fix those? Txh!

@lotheac

Ah, you're right. Commit 67f844e should fix that.

@apollo13 apollo13 commented on the diff
django/core/files/storage.py
@@ -192,7 +192,7 @@ def _save(self, name, content):
else:
# This fun binary flag incantation makes os.open throw an
# OSError if the file already exists before we open it.
- fd = os.open(full_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL | getattr(os, 'O_BINARY', 0))
+ fd = os.open(full_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL | getattr(os, 'O_BINARY', 0), 0o666)
@apollo13 Owner

Something just came to my mind: How does 0o666 affect windows?

@lotheac
lotheac added a note

The Python docs just refer to runtime C library documentation (http://docs.python.org/library/os.html#os.open), so no idea there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@apollo13 apollo13 commented on the diff
tests/regressiontests/file_storage/tests.py
((22 lines not shown))
+ @override_settings(FILE_UPLOAD_PERMISSIONS=None)
+ def test_file_upload_default_permissions(self):
+ fname = self.storage.save("some_file", ContentFile("data"))
+ mode = os.stat(self.storage.path(fname))[0] & 0o777
@apollo13 Owner

Does this work on windows too?

@lotheac
lotheac added a note

Sorry, no idea, I don't have a Windows machine to test with. But, the only new thing here is umask; test_file_upload_permissions was a similar test previously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@apollo13
Owner

Fixed in e8c6aff.

@apollo13 apollo13 closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
2  django/core/files/storage.py
@@ -192,7 +192,7 @@ def _save(self, name, content):
else:
# This fun binary flag incantation makes os.open throw an
# OSError if the file already exists before we open it.
- fd = os.open(full_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL | getattr(os, 'O_BINARY', 0))
+ fd = os.open(full_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL | getattr(os, 'O_BINARY', 0), 0o666)
@apollo13 Owner

Something just came to my mind: How does 0o666 affect windows?

@lotheac
lotheac added a note

The Python docs just refer to runtime C library documentation (http://docs.python.org/library/os.html#os.open), so no idea there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
try:
locks.lock(fd, locks.LOCK_EX)
_file = None
View
2  docs/releases/1.5.txt
@@ -333,6 +333,8 @@ Miscellaneous
function at :func:`django.utils.text.slugify`. Similarly, ``remove_tags`` is
available at :func:`django.utils.html.remove_tags`.
+* Uploaded files are no longer created executable by default
+
Features deprecated in 1.5
==========================
View
15 tests/regressiontests/file_storage/tests.py
@@ -23,6 +23,7 @@
from django.test import SimpleTestCase
from django.utils import six
from django.utils import unittest
+from django.test.utils import override_settings
from ..servers.tests import LiveServerBase
# Try to import PIL in either of the two ways it can end up installed.
@@ -435,20 +436,26 @@ def test_race_condition(self):
class FileStoragePermissions(unittest.TestCase):
def setUp(self):
- self.old_perms = settings.FILE_UPLOAD_PERMISSIONS
- settings.FILE_UPLOAD_PERMISSIONS = 0o666
+ self.umask = 0o027
+ self.old_umask = os.umask(self.umask)
self.storage_dir = tempfile.mkdtemp()
self.storage = FileSystemStorage(self.storage_dir)
def tearDown(self):
- settings.FILE_UPLOAD_PERMISSIONS = self.old_perms
shutil.rmtree(self.storage_dir)
+ os.umask(self.old_umask)
+ @override_settings(FILE_UPLOAD_PERMISSIONS=0o654)
def test_file_upload_permissions(self):
name = self.storage.save("the_file", ContentFile("data"))
actual_mode = os.stat(self.storage.path(name))[0] & 0o777
- self.assertEqual(actual_mode, 0o666)
+ self.assertEqual(actual_mode, 0o654)
+ @override_settings(FILE_UPLOAD_PERMISSIONS=None)
+ def test_file_upload_default_permissions(self):
+ fname = self.storage.save("some_file", ContentFile("data"))
+ mode = os.stat(self.storage.path(fname))[0] & 0o777
@apollo13 Owner

Does this work on windows too?

@lotheac
lotheac added a note

Sorry, no idea, I don't have a Windows machine to test with. But, the only new thing here is umask; test_file_upload_permissions was a similar test previously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ self.assertEqual(mode, 0o666 & ~self.umask)
class FileStoragePathParsing(unittest.TestCase):
def setUp(self):
Something went wrong with that request. Please try again.