[Django] #36900: startproject and startapp do not sanitize filename from Content-Disposition header
0 views
Skip to first unread message
Django
Feb 3, 2026, 10:08:45 AM (yesterday) Feb 3
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type: Bug
Status: new | Component: Core
| (Management commands)
Version: 6.0 | Severity: Normal
Keywords: startapp | Triage Stage:
startproject | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When using `django-admin startproject` or `startapp` with a remote
`--template` URL, the download logic trusts the filename value from the
HTTP `Content-Disposition` header and uses it directly to construct a
filesystem path.
In `TemplateCommand.download()`, the header-provided filename is joined
with the temporary download directory and passed to `shutil.move()`
without normalization. The filename is not sanitized, allowing the
downloaded file to be written outside the command’s designated temporary
download directory.
This occurs before archive validation or extraction and affects only local
development workflows using remote templates, which are documented to
require full audit before use (https://docs.djangoproject.com/en/6.0/ref
/django-admin/#cmdoption-startapp-template).
Still, the expected behavior is that downloaded template archives should
always remain confined to the temporary download directory, regardless of
header-provided filenames.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type: Bug
Status: new | Component: Core
| (Management commands)
Version: 6.0 | Severity: Normal
Keywords: startapp | Triage Stage:
startproject | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When using `django-admin startproject` or `startapp` with a remote
`--template` URL, the download logic trusts the filename value from the
HTTP `Content-Disposition` header and uses it directly to construct a
filesystem path.
In `TemplateCommand.download()`, the header-provided filename is joined
with the temporary download directory and passed to `shutil.move()`
without normalization. The filename is not sanitized, allowing the
downloaded file to be written outside the command’s designated temporary
download directory.
This occurs before archive validation or extraction and affects only local
development workflows using remote templates, which are documented to
require full audit before use (https://docs.djangoproject.com/en/6.0/ref
/django-admin/#cmdoption-startapp-template).
Still, the expected behavior is that downloaded template archives should
always remain confined to the temporary download directory, regardless of
header-provided filenames.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Feb 3, 2026, 10:35:31 AM (yesterday) Feb 3
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
header
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage:
startproject | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by jaffar Khan):
startproject | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: jaffar Khan (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:1>
Django
Feb 3, 2026, 10:39:53 AM (yesterday) Feb 3
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
startproject |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:2>
Django
2:59 AM (18 hours ago) 2:59 AM
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by ar3ph):
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: Bug | Status: new
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
I can take a look at this.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:3>
Django
3:01 AM (18 hours ago) 3:01 AM
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: ar3ph
header
-------------------------------------+-------------------------------------
Type: Bug | Status: assigned
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by ar3ph):
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: ar3ph (added)
* owner: (none) => ar3ph
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:4>
Django
3:59 AM (17 hours ago) 3:59 AM
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: ar3ph
Type: Bug | Status: assigned
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 1 | Needs documentation: 0
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: ar3ph
Type: Bug | Status: assigned
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by ar3ph):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by ar3ph):
Comment:
Here is a patch for the filename from `Content-Disposition` header:
https://github.com/django/django/pull/20639
Do I need to update/add a test though? I can't find any existing tests for
the template command.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:5>
Django
6:58 AM (14 hours ago) 6:58 AM
to django-...@googlegroups.com
#36900: startproject and startapp do not sanitize filename from Content-Disposition
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: ar3ph
Type: Bug | Status: assigned
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Has patch: 1 | Needs documentation: 1
header
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: ar3ph
Type: Bug | Status: assigned
Component: Core (Management | Version: 6.0
commands) |
Severity: Normal | Resolution:
Keywords: startapp | Triage Stage: Accepted
startproject |
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
* needs_docs: 0 => 1
* needs_tests: 0 => 1
Comment:
Replying to [comment:5 ar3ph]:
> Do I need to update/add a test though? I can't find any existing tests
for the template command.
Yes, most definitely. Existing tests are located in
for the template command.
https://github.com/django/django/blob/main/tests/admin_scripts/tests.py
Setting the flags per PR comments.
--
Ticket URL: <https://code.djangoproject.com/ticket/36900#comment:6>
Reply all
Reply to author
Forward
0 new messages