id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36900	startproject and startapp do not sanitize filename from Content-Disposition header	Natalia Bidart	ar3ph	"When using `django-admin startproject` or `startapp` with a remote `--template` URL, the download logic trusts the filename value from the HTTP `Content-Disposition` header and uses it directly to construct a filesystem path.

In `TemplateCommand.download()`, the header-provided filename is joined with the temporary download directory and passed to `shutil.move()` without normalization. The filename is not sanitized, allowing the downloaded file to be written outside the command’s designated temporary download directory.

This occurs before archive validation or extraction and affects only local development workflows using remote templates, which are documented to require full audit before use (https://docs.djangoproject.com/en/6.0/ref/django-admin/#cmdoption-startapp-template).

Still, the expected behavior is that downloaded template archives should always remain confined to the temporary download directory, regardless of header-provided filenames."	Bug	assigned	Core (Management commands)	6.0	Normal		startapp startproject	ar3ph	Accepted	1	0	0	0	0	0