holm/django-helpdeskmig
1
0
Fork 0
mirror of https://gitea.mueller.network/extern/django-helpdesk.git synced 2024-11-21 23:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1120 from fazledyn-or/Fix_File_Permission_777

Browse Source 
Fixed Sensitive Data Exposure (File permission in attachments)
This commit is contained in:
Christopher Broderick 2023-10-13 10:41:24 +01:00 committed by GitHub
commit f872ec2527
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
helpdesk/models.py
View File

@ -1137,7 +1137,6 @@ class FollowUpAttachment(Attachment):
def attachment_path(self, filename):
os.umask(0)
path = 'helpdesk/attachments/{ticket_for_url}-{secret_key}/{id_}'.format(
ticket_for_url=self.followup.ticket.ticket_for_url,
secret_key=self.followup.ticket.secret_key,
@ -1145,7 +1144,7 @@ class FollowUpAttachment(Attachment):
att_path = os.path.join(settings.MEDIA_ROOT, path)
if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
if not os.path.exists(att_path):
os.makedirs(att_path, 0o777)
os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
return os.path.join(path, filename)
@ -1159,14 +1158,13 @@ class KBIAttachment(Attachment):
def attachment_path(self, filename):
os.umask(0)
path = 'helpdesk/attachments/kb/{category}/{kbi}'.format(
category=self.kbitem.category,
kbi=self.kbitem.id)
att_path = os.path.join(settings.MEDIA_ROOT, path)
if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
if not os.path.exists(att_path):
os.makedirs(att_path, 0o777)
os.makedirs(att_path, helpdesk_settings.HELPDESK_ATTACHMENT_DIR_PERMS)
return os.path.join(path, filename)

8
helpdesk/settings.py
View File

@ -265,3 +265,11 @@ HELPDESK_OAUTH = getattr(
# Set Debug Logging Level for IMAP Services. Default to '0' for No Debugging
HELPDESK_IMAP_DEBUG_LEVEL = getattr(settings, 'HELPDESK_IMAP_DEBUG_LEVEL', 0)
#############################################
# file permissions - Attachment directories #
#############################################
# Attachment directories should be created with permission 755 (rwxr-xr-x)
# Override it in your own Django settings.py
HELPDESK_ATTACHMENT_DIR_PERMS = int(getattr(settings, 'HELPDESK_ATTACHMENT_DIR_PERMS', "755"), 8)