Opened 3 weeks ago

Last modified 2 weeks ago

#36900 assigned Bug

startproject and startapp do not sanitize filename from Content-Disposition header

Reported by: Natalia Bidart Owned by: ar3ph
Component: Core (Management commands) Version: 6.0
Severity: Normal Keywords: startapp startproject
Cc: ar3ph Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using django-admin startproject or startapp with a remote --template URL, the download logic trusts the filename value from the HTTP Content-Disposition header and uses it directly to construct a filesystem path.

In TemplateCommand.download(), the header-provided filename is joined with the temporary download directory and passed to shutil.move() without normalization. The filename is not sanitized, allowing the downloaded file to be written outside the command’s designated temporary download directory.

This occurs before archive validation or extraction and affects only local development workflows using remote templates, which are documented to require full audit before use (https://docs.djangoproject.com/en/6.0/ref/django-admin/#cmdoption-startapp-template).

Still, the expected behavior is that downloaded template archives should always remain confined to the temporary download directory, regardless of header-provided filenames.

Change History (9)

comment:1 by jaffar Khan, 3 weeks ago

Cc: jaffar Khan added

comment:2 by Jacob Walls, 3 weeks ago

Triage Stage: UnreviewedAccepted

comment:3 by ar3ph, 3 weeks ago

I can take a look at this.

comment:4 by ar3ph, 3 weeks ago

Cc: ar3ph added
Owner: set to ar3ph
Status: newassigned

comment:5 by ar3ph, 3 weeks ago

Has patch: set

Here is a patch for the filename from Content-Disposition header: https://github.com/django/django/pull/20639

Do I need to update/add a test though? I can't find any existing tests for the template command.

in reply to:  5 comment:6 by Natalia Bidart, 3 weeks ago

Needs documentation: set
Needs tests: set
Patch needs improvement: set

Replying to ar3ph:

Do I need to update/add a test though? I can't find any existing tests for the template command.

Yes, most definitely. Existing tests are located in https://github.com/django/django/blob/main/tests/admin_scripts/tests.py

Setting the flags per PR comments.

comment:7 by ar3ph, 3 weeks ago

I have updated the code, added a test and updated the release doc: https://github.com/django/django/pull/20639

comment:8 by jaffar Khan, 3 weeks ago

Cc: jaffar Khan removed

comment:9 by ar3ph, 2 weeks ago

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

Ready for review: https://github.com/django/django/pull/20639

Note: See TracTickets for help on using tickets.
Back to Top