id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36588	Harden `django.utils.archive` against decompression bombs	Natalia Bidart	Marcelo Elizeche Landó	"The `django.utils.archive` module is an internal utility used by `startapp` and `startproject` when the `--template` option is provided. The current implementation does not impose limits on extracted file size, file count, or decompression time. This makes it possible for a crafted archive to consume excessive resources.

''Thanks to ""junfuchong (chongfujun)"" for the report.''

This is not considered a security issue under Django's policy because:

* The module is undocumented and only used in local development commands.
* Our policy excludes issues that affect only local dev, and these commands are not intended to run on untrusted archives in production.

Still, adding safeguards (such as maximum size or file count limits) would make the code more robust and user-friendly. This ticket tracks such hardening work after a conversation held within the Security Team."	Cleanup/optimization	assigned	Utilities	dev	Normal		archive	Jake Howard	Accepted	1	0	0	1	0	0