mirror of
https://github.com/django-helpdesk/django-helpdesk.git
synced 2024-12-13 10:21:05 +01:00
Merge pull request #1120 from fazledyn-or/Fix_File_Permission_777
Fixed Sensitive Data Exposure (File permission in attachments)
This commit is contained in:
commit
f872ec2527
@ -1137,7 +1137,6 @@ class FollowUpAttachment(Attachment):
|
||||
|
||||
def attachment_path(self, filename):
|
||||
|
||||
os.umask(0)
|
||||
path = 'helpdesk/attachments/{ticket_for_url}-{secret_key}/{id_}'.format(
|
||||
ticket_for_url=self.followup.ticket.ticket_for_url,
|
||||
secret_key=self.followup.ticket.secret_key,
|
||||
@ -1145,7 +1144,7 @@ class FollowUpAttachment(Attachment):
|
||||
att_path = os.path.join(settings.MEDIA_ROOT, path)
|
||||
if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
|
||||
if not os.path.exists(att_path):
|
||||
os.makedirs(att_path, 0o777)
|
||||
os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
|
||||
return os.path.join(path, filename)
|
||||
|
||||
|
||||
@ -1159,14 +1158,13 @@ class KBIAttachment(Attachment):
|
||||
|
||||
def attachment_path(self, filename):
|
||||
|
||||
os.umask(0)
|
||||
path = 'helpdesk/attachments/kb/{category}/{kbi}'.format(
|
||||
category=self.kbitem.category,
|
||||
kbi=self.kbitem.id)
|
||||
att_path = os.path.join(settings.MEDIA_ROOT, path)
|
||||
if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
|
||||
if not os.path.exists(att_path):
|
||||
os.makedirs(att_path, 0o777)
|
||||
os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
|
||||
return os.path.join(path, filename)
|
||||
|
||||
|
||||
|
@ -265,3 +265,11 @@ HELPDESK_OAUTH = getattr(
|
||||
|
||||
# Set Debug Logging Level for IMAP Services. Default to '0' for No Debugging
|
||||
HELPDESK_IMAP_DEBUG_LEVEL = getattr(settings, 'HELPDESK_IMAP_DEBUG_LEVEL', 0)
|
||||
|
||||
#############################################
|
||||
# file permissions - Attachment directories #
|
||||
#############################################
|
||||
|
||||
# Attachment directories should be created with permission 755 (rwxr-xr-x)
|
||||
# Override it in your own Django settings.py
|
||||
HELPDESK_ATTACHMENT_DIR_PERMS = int(getattr(settings, 'HELPDESK_ATTACHMENT_DIR_PERMS', "755"), 8)
|
||||
|
Loading…
Reference in New Issue
Block a user