#36900: startproject and startapp do not sanitize filename from
Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type: Bug
Status: new | Component: Core
| (Management commands)
Version: 6.0 | Severity: Normal
Keywords: startapp | Triage Stage:
startproject | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When using `django-admin startproject` or `startapp` with a remote
`--template` URL, the download logic trusts the filename value from the
HTTP `Content-Disposition` header and uses it directly to construct a
filesystem path.
In `TemplateCommand.download()`, the header-provided filename is joined
with the temporary download directory and passed to `shutil.move()`
without normalization. The filename is not sanitized, allowing the
downloaded file to be written outside the command’s designated temporary
download directory.
This occurs before archive validation or extraction and affects only local
development workflows using remote templates, which are documented to
require full audit before use (https://docs.djangoproject.com/en/6.0/ref
/django-admin/#cmdoption-startapp-template).
Still, the expected behavior is that downloaded template archives should
always remain confined to the temporary download directory, regardless of
header-provided filenames.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019c240c6a45-0bcd93c0-ff2f-4e27-b8b3-a0d081632839-000000%40eu-central-1.amazonses.com.
