Based on my search, this repository does not contain the Django codebase. However, I can generate the patch based on my knowledge of the Django codebase structure and the issue requirements. The issue is well-documented and I understand what changes need to be made: 1. Change the default value of `FILE_UPLOAD_PERMISSIONS` from `None` to `0o644` in `django/conf/global_settings.py` 2. Update the documentation in settings docs and deployment checklist 3. Add release notes Here's the patch: --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -304,7 +304,7 @@ DEFAULT_FILE_STORAGE = 'django.core.files.storage.FileSystemStorage' # File upload permissions # The numeric mode to set newly-uploaded files to. The value should be a mode -# you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories. -FILE_UPLOAD_PERMISSIONS = None +# you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories. +FILE_UPLOAD_PERMISSIONS = 0o644 # The numeric mode to apply to directories created in the process of uploading files. --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1737,15 +1737,18 @@ FILE_UPLOAD_PERMISSIONS Default: ``None`` +Default: ``0o644`` + The numeric mode (i.e. ``0o644``) to set newly uploaded files to. For more information about what these modes mean, see the documentation for :func:`os.chmod`. If this isn't given or is ``None``, you'll get operating-system dependent -behavior. On most platforms, temporary files will have a mode of ``0o600``, -and files saved from memory will be saved using the system's standard umask. +behavior. On most platforms, temporary files will have a mode of ``0o600``, and +files saved from memory will be saved using the system's standard umask. .. warning:: **Always prefix the mode with ``0o``.** If you're not familiar with file modes, please note that the ``0o`` prefix --- a/docs/howto/deployment/checklist.txt +++ b/docs/howto/deployment/checklist.txt @@ -90,10 +90,7 @@ can often be problematic. :setting:`FILE_UPLOAD_PERMISSIONS` ---------------------------------- -If you upload files, ensure that :setting:`FILE_UPLOAD_PERMISSIONS` is -set to ensure the newly uploaded files don't have overly permissive -permissions. In previous versions of Django, this setting was not applied -and thus file permissions varied depending on the size of the uploaded file. +The default value (``0o644``) is suitable for most situations. --- a/docs/releases/3.0.txt +++ b/docs/releases/3.0.txt @@ -0,0 +1,15 @@ +Backwards incompatible changes in 3.0 +===================================== + +:setting:`FILE_UPLOAD_PERMISSIONS` default changed +-------------------------------------------------- + +The default value of :setting:`FILE_UPLOAD_PERMISSIONS` has changed from +``None`` to ``0o644``. Previously, with the default of ``None``, files +uploaded via :class:`~django.core.files.uploadedfile.TemporaryUploadedFile` +would have a mode of ``0o600`` on some operating systems, while files +uploaded via :class:`~django.core.files.uploadedfile.InMemoryUploadedFile` +would use the system's standard umask, often resulting in ``0o644``. + +To restore the previous behavior, set ``FILE_UPLOAD_PERMISSIONS`` to +``None`` in your project settings.