Skip to content

Disable cache backend using pickle #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
soapy1 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Disable cache backend using pickle #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fccb148
Mitigate CVE-2025-69872
soapy1 Apr 24, 2026
d04611d
Raise error if a user tries to use 'Disk' cache backend
soapy1 Apr 24, 2026
e899d6c
Remove 'Disk' in favour of 'DiskCache'
soapy1 Apr 24, 2026
2754387
Update tests
soapy1 Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions diskcache/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
EVICTION_POLICY,
UNKNOWN,
Cache,
Disk,
Copy link
Copy Markdown
Owner Author

@soapy1 soapy1 Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes diskcache.Disk not importable. For example:

$ python
>>> import diskcache
>>> from diskcache import JSONDisk
>>> from diskcache import Disk
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: cannot import name 'Disk' from 'diskcache' (/home/sophia/projects/python-diskcache/diskcache/__init__.py)
>>>

EmptyDirWarning,
JSONDisk,
Timeout,
Expand All @@ -35,7 +34,6 @@
'Cache',
'DEFAULT_SETTINGS',
'Deque',
'Disk',
'ENOVAL',
'EVICTION_POLICY',
'EmptyDirWarning',
Expand Down
9 changes: 5 additions & 4 deletions diskcache/core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ def __init__(self, directory, min_file_size=0, pickle_protocol=0):
:param int pickle_protocol: pickle protocol for serialization

"""
raise RuntimeError("Disk has been disabled as a mitigation for CVE-2025-69872. Please use JSONDisk instead.")
Copy link
Copy Markdown
Owner Author

@soapy1 soapy1 Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also considered raising other errors - TypeError, NotImplementedError but these seemed not as accurate.

self._directory = directory
self.min_file_size = min_file_size
self.pickle_protocol = pickle_protocol
Expand Down Expand Up @@ -232,7 +233,7 @@ def _write(self, full_path, iterator, mode, encoding=None):

for count in range(1, 11):
with cl.suppress(OSError):
os.makedirs(full_dir)
os.makedirs(full_dir, 0o700)

try:
# Another cache may have deleted the directory before
Expand Down Expand Up @@ -348,7 +349,7 @@ def __init__(self, directory, compress_level=1, **kwargs):

"""
self.compress_level = compress_level
super().__init__(directory, **kwargs)
self._directory = directory
Copy link
Copy Markdown
Owner Author

@soapy1 soapy1 Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still keeps the relationship between JSONDisk and Disk but tries to avoid raising the error when Disk is instantiated.
It might be worth it to try to separate these two a bit more.


def put(self, key):
json_bytes = json.dumps(key).encode('utf-8')
Expand Down Expand Up @@ -417,7 +418,7 @@ def args_to_key(base, args, kwargs, typed, ignore):
class Cache:
"""Disk and file backed cache."""

def __init__(self, directory=None, timeout=60, disk=Disk, **settings):
def __init__(self, directory=None, timeout=60, disk=JSONDisk, **settings):
"""Initialize cache instance.

:param str directory: cache directory
Expand All @@ -444,7 +445,7 @@ def __init__(self, directory=None, timeout=60, disk=Disk, **settings):

if not op.isdir(directory):
try:
os.makedirs(directory, 0o755)
os.makedirs(directory, 0o700)
except OSError as error:
if error.errno != errno.EEXIST:
raise EnvironmentError(
Expand Down
6 changes: 3 additions & 3 deletions diskcache/fanout.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@
import tempfile
import time

from .core import DEFAULT_SETTINGS, ENOVAL, Cache, Disk, Timeout
from .core import DEFAULT_SETTINGS, ENOVAL, Cache, JSONDisk, Timeout
from .persistent import Deque, Index


class FanoutCache:
"""Cache that shards keys and values."""

def __init__(
self, directory=None, shards=8, timeout=0.010, disk=Disk, **settings
self, directory=None, shards=8, timeout=0.010, disk=JSONDisk, **settings
):
"""Initialize cache instance.

Expand Down Expand Up @@ -607,7 +607,7 @@ def cache(self, name, timeout=60, disk=None, **settings):
temp = Cache(
directory=directory,
timeout=timeout,
disk=self._disk if disk is None else Disk,
disk=self._disk if disk is None else JSONDisk,
**settings,
)
_caches[name] = temp
Expand Down
7 changes: 1 addition & 6 deletions tests/test_core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,6 @@ def test_disk_reset():
shutil.rmtree(cache.directory, ignore_errors=True)


def test_disk_valueerror():
with pytest.raises(ValueError):
with dc.Cache(disk=dc.Disk('test')):
pass


def test_custom_disk():
with dc.Cache(disk=dc.JSONDisk, disk_compress_level=6) as cache:
Expand All @@ -105,7 +100,7 @@ def test_custom_disk():
shutil.rmtree(cache.directory, ignore_errors=True)


class SHA256FilenameDisk(dc.Disk):
class SHA256FilenameDisk(dc.JSONDisk):
def filename(self, key=dc.UNKNOWN, value=dc.UNKNOWN):
filename = hashlib.sha256(key).hexdigest()[:32]
full_path = op.join(self._directory, filename)
Expand Down
2 changes: 1 addition & 1 deletion tests/test_fanout.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -657,7 +657,7 @@ def test_rsync():
shutil.rmtree(cache_dir2, ignore_errors=True)


class SHA256FilenameDisk(dc.Disk):
class SHA256FilenameDisk(dc.JSONDisk):
def filename(self, key=dc.UNKNOWN, value=dc.UNKNOWN):
filename = hashlib.sha256(key).hexdigest()[:32]
full_path = op.join(self._directory, filename)
Expand Down