Re: [Django] #12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------
Reporter: andrewbadr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: 1.2-alpha
Component: File | Resolution: wontfix
uploads/storage | Triage Stage: Design
Severity: Normal | decision needed
Keywords: | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by apollo13):

* status: new => closed
* resolution: => wontfix

Comment:

There are good reasons security-wise to leave tmp files as 600, especially
in shared environments. If you need other permissions for the file, move
it out of /tmp/ and chmod it, otherwise other users can access it which
can be dangerous. A new setting isn't worth it, as such I am closing this.

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------
Reporter: andrewbadr | Owner: nobody

Type: | Status: new
Cleanup/optimization | Version: master
Component: File | Resolution:

uploads/storage | Triage Stage: Design
Severity: Normal | decision needed

Keywords: | Needs documentation: 1

Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0

Easy pickings: 1 |
-------------------------------------+-------------------------------------
Changes (by simon29):

* status: closed => new
* cc: simon@… (added)
* version: 1.2-alpha => master
* easy: 0 => 1
* needs_docs: 0 => 1
* resolution: wontfix =>

Comment:

Sorry, re-opening, this issue isn't resolved. It just bit me again.

If we must have an implicit 0600 on temporary file uploads, and an
explicit setting FILE_UPLOAD_PERMISSIONS that doesn't work, then at the
least we need to clearly document the inconsistent behaviour.

I understand the security concern, but having a setting that tells me I
can choose the mode leads me to think, well, er, I can change the mode.

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:13>

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------

Reporter: andrewbadr | Owner: rednaw
Type: | Status: assigned

Cleanup/optimization | Version: master
Component: File | Resolution:
uploads/storage | Triage Stage: Design
Severity: Normal | decision needed

Keywords: nlsprint14 | Needs documentation: 1

Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------

Changes (by rednaw):

* keywords: => nlsprint14
* status: new => assigned
* owner: nobody => rednaw

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:14>

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------
Reporter: andrewbadr | Owner: rednaw
Type: | Status: assigned
Cleanup/optimization | Version: master
Component: File | Resolution:
uploads/storage | Triage Stage: Design
Severity: Normal | decision needed
Keywords: nlsprint14 | Needs documentation: 1
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------

Comment (by rednaw):

I fixed the documentation and created a pull request for it:
https://github.com/django/django/pull/2341

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:15>

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------
Reporter: andrewbadr | Owner: rednaw

Type: | Status: closed
Cleanup/optimization | Version: master
Component: File | Resolution: fixed

uploads/storage | Triage Stage: Design
Severity: Normal | decision needed
Keywords: nlsprint14 | Needs documentation: 1
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------

Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed

Comment:

In [changeset:"355572ac56389a8d02cb93ea6a859e0d546bc6fb"]:
{{{
#!CommitTicketReference repository=""
revision="355572ac56389a8d02cb93ea6a859e0d546bc6fb"
Fixed #12670 -- Added a note about permissions of files stored in
FILE_UPLOAD_TEMP_DIR.

Thanks simon29 for the suggestion.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:16>

[Django]

#12670: TemporaryUploadedFile objects do not respect FILE_UPLOAD_PERMISSIONS
-------------------------------------+-------------------------------------
Reporter: andrewbadr | Owner: rednaw
Type: | Status: closed
Cleanup/optimization | Version: master
Component: File | Resolution: fixed
uploads/storage | Triage Stage: Design
Severity: Normal | decision needed
Keywords: nlsprint14 | Needs documentation: 1
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"dde67de0f656014821942ee8abe50f5187924288"]:
{{{
#!CommitTicketReference repository=""
revision="dde67de0f656014821942ee8abe50f5187924288"
[1.6.x] Fixed #12670 -- Added a note about permissions of files stored in
FILE_UPLOAD_TEMP_DIR.

Thanks simon29 for the suggestion.

Backport of 355572ac56 from master
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/12670#comment:17>