Fixed #31983 -- Added system check for file system caches location.

Thanks Johannes Maron and Nick Pope for reviews.
2025-07-24 13:44:32 +00:00 · 2020-10-27 00:01:03 +08:00 · 2020-10-27 00:01:03 +08:00 · c36075ac1d
commit c36075ac1d
parent ebb08d1942
4 changed files with 118 additions and 4 deletions
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@ -138,6 +138,10 @@ configured:

 * **caches.E001**: You must define a ``'default'`` cache in your
  :setting:`CACHES` setting.
+* **caches.W002**: Your ``<cache>`` configuration might expose your cache or
+  lead to corruption of your data because its
+  :setting:`LOCATION <CACHES-LOCATION>` matches/is inside/contains
+  :setting:`MEDIA_ROOT`/:setting:`STATIC_ROOT`/:setting:`STATICFILES_DIRS`.

 Database
 --------
--- a/docs/topics/cache.txt
+++ b/docs/topics/cache.txt
@ -293,6 +293,16 @@ above example, if your server runs as the user ``apache``, make sure the
 directory ``/var/tmp/django_cache`` exists and is readable and writable by the
 user ``apache``.

+.. warning::
+
+    When the cache :setting:`LOCATION <CACHES-LOCATION>` is contained within
+    :setting:`MEDIA_ROOT`, :setting:`STATIC_ROOT`, or
+    :setting:`STATICFILES_FINDERS`, sensitive data may be exposed.
+
+    An attacker who gains access to the cache file can not only falsify HTML
+    content, which your site will trust, but also remotely execute arbitrary
+    code, as the data is serialized using :mod:`pickle`.
+
 .. _local-memory-caching:

 Local-memory caching