From fccb14852574151ecf1f4615ec7fa6e5135323b7 Mon Sep 17 00:00:00 2001 From: sophia Date: Fri, 24 Apr 2026 10:25:41 -0700 Subject: [PATCH 1/4] Mitigate CVE-2025-69872 - create cache dirs only accessible by owner - set default cache to JSONCache refs: - https://github.com/grantjenks/python-diskcache/pull/359 - src.fedoraproject.org/rpms/python-diskcache/pull-request/1# --- diskcache/core.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/diskcache/core.py b/diskcache/core.py index 7a3d23b..6901d96 100644 --- a/diskcache/core.py +++ b/diskcache/core.py @@ -232,7 +232,7 @@ def _write(self, full_path, iterator, mode, encoding=None): for count in range(1, 11): with cl.suppress(OSError): - os.makedirs(full_dir) + os.makedirs(full_dir, 0o700) try: # Another cache may have deleted the directory before @@ -417,7 +417,7 @@ def args_to_key(base, args, kwargs, typed, ignore): class Cache: """Disk and file backed cache.""" - def __init__(self, directory=None, timeout=60, disk=Disk, **settings): + def __init__(self, directory=None, timeout=60, disk=JSONDisk, **settings): """Initialize cache instance. :param str directory: cache directory @@ -444,7 +444,7 @@ def __init__(self, directory=None, timeout=60, disk=Disk, **settings): if not op.isdir(directory): try: - os.makedirs(directory, 0o755) + os.makedirs(directory, 0o700) except OSError as error: if error.errno != errno.EEXIST: raise EnvironmentError( From d04611d2cab81f9bd8b0790c6488bb3a9359f0af Mon Sep 17 00:00:00 2001 From: sophia Date: Fri, 24 Apr 2026 10:43:06 -0700 Subject: [PATCH 2/4] Raise error if a user tries to use 'Disk' cache backend --- diskcache/core.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/diskcache/core.py b/diskcache/core.py index 6901d96..b46b16b 100644 --- a/diskcache/core.py +++ b/diskcache/core.py @@ -111,6 +111,7 @@ def __init__(self, directory, min_file_size=0, pickle_protocol=0): :param int pickle_protocol: pickle protocol for serialization """ + raise RuntimeError("Disk has been disabled as a mitigation for CVE-2025-69872. Please use JSONDisk instead.") self._directory = directory self.min_file_size = min_file_size self.pickle_protocol = pickle_protocol @@ -348,7 +349,7 @@ def __init__(self, directory, compress_level=1, **kwargs): """ self.compress_level = compress_level - super().__init__(directory, **kwargs) + self._directory = directory def put(self, key): json_bytes = json.dumps(key).encode('utf-8') From e899d6cf1b90f1ea237aede03427bb7df6b818fd Mon Sep 17 00:00:00 2001 From: sophia Date: Fri, 24 Apr 2026 10:58:26 -0700 Subject: [PATCH 3/4] Remove 'Disk' in favour of 'DiskCache' --- diskcache/__init__.py | 2 -- diskcache/fanout.py | 6 +++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/diskcache/__init__.py b/diskcache/__init__.py index 7757d66..3178f4b 100644 --- a/diskcache/__init__.py +++ b/diskcache/__init__.py @@ -11,7 +11,6 @@ EVICTION_POLICY, UNKNOWN, Cache, - Disk, EmptyDirWarning, JSONDisk, Timeout, @@ -35,7 +34,6 @@ 'Cache', 'DEFAULT_SETTINGS', 'Deque', - 'Disk', 'ENOVAL', 'EVICTION_POLICY', 'EmptyDirWarning', diff --git a/diskcache/fanout.py b/diskcache/fanout.py index 9822ee4..d6b7140 100644 --- a/diskcache/fanout.py +++ b/diskcache/fanout.py @@ -9,7 +9,7 @@ import tempfile import time -from .core import DEFAULT_SETTINGS, ENOVAL, Cache, Disk, Timeout +from .core import DEFAULT_SETTINGS, ENOVAL, Cache, JSONDisk, Timeout from .persistent import Deque, Index @@ -17,7 +17,7 @@ class FanoutCache: """Cache that shards keys and values.""" def __init__( - self, directory=None, shards=8, timeout=0.010, disk=Disk, **settings + self, directory=None, shards=8, timeout=0.010, disk=JSONDisk, **settings ): """Initialize cache instance. @@ -607,7 +607,7 @@ def cache(self, name, timeout=60, disk=None, **settings): temp = Cache( directory=directory, timeout=timeout, - disk=self._disk if disk is None else Disk, + disk=self._disk if disk is None else JSONDisk, **settings, ) _caches[name] = temp From 27543872a16943d94ee51ea029a52e6951adc353 Mon Sep 17 00:00:00 2001 From: sophia Date: Fri, 24 Apr 2026 11:07:02 -0700 Subject: [PATCH 4/4] Update tests --- tests/test_core.py | 7 +------ tests/test_fanout.py | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/tests/test_core.py b/tests/test_core.py index 788afef..9ca522d 100644 --- a/tests/test_core.py +++ b/tests/test_core.py @@ -81,11 +81,6 @@ def test_disk_reset(): shutil.rmtree(cache.directory, ignore_errors=True) -def test_disk_valueerror(): - with pytest.raises(ValueError): - with dc.Cache(disk=dc.Disk('test')): - pass - def test_custom_disk(): with dc.Cache(disk=dc.JSONDisk, disk_compress_level=6) as cache: @@ -105,7 +100,7 @@ def test_custom_disk(): shutil.rmtree(cache.directory, ignore_errors=True) -class SHA256FilenameDisk(dc.Disk): +class SHA256FilenameDisk(dc.JSONDisk): def filename(self, key=dc.UNKNOWN, value=dc.UNKNOWN): filename = hashlib.sha256(key).hexdigest()[:32] full_path = op.join(self._directory, filename) diff --git a/tests/test_fanout.py b/tests/test_fanout.py index af221b6..a622141 100644 --- a/tests/test_fanout.py +++ b/tests/test_fanout.py @@ -657,7 +657,7 @@ def test_rsync(): shutil.rmtree(cache_dir2, ignore_errors=True) -class SHA256FilenameDisk(dc.Disk): +class SHA256FilenameDisk(dc.JSONDisk): def filename(self, key=dc.UNKNOWN, value=dc.UNKNOWN): filename = hashlib.sha256(key).hexdigest()[:32] full_path = op.join(self._directory, filename)