Fixed #36900 -- Used safe_join() on downloaded template archive.

author: ar3ph <192461522+ar3ph@users.noreply.github.com> 2026-04-27 21:20:49 +0000
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-06-09 11:52:09 -0400
commit: 46c5e76f0bcc76bfce19ad7ba07f716fc653a822 (patch)
tree: f13bbad8e285cf245f2fa4044f5cb8c311b78b27 /tests/admin_scripts/tests.py
parent: beb40ed1d2b0503814591a37b08ecbd71f2ff729 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/admin_scripts/tests.py b/tests/admin_scripts/tests.py
index 819ba931d6..3eb7b97c99 100644
--- a/tests/admin_scripts/tests.py
+++ b/tests/admin_scripts/tests.py
@@ -2778,6 +2778,21 @@ class StartProject(LiveServerTestCase, AdminScriptTestCase):
         self.assertTrue(os.path.isdir(testproject_dir))
         self.assertTrue(os.path.exists(os.path.join(testproject_dir, "run.py")))
 
+    def test_custom_project_template_from_tarball_by_url_bad_filename(self):
+        """
+        The startproject management command will raise SuspiciousFileOperation
+        on an ill-formed remote template archive filename.
+        """
+        template_url = "%s/bad_template_filename.tgz" % self.live_server_url
+
+        args = ["startproject", "--template", template_url, "urltestproject"]
+
+        out, err = self.run_django_admin(args)
+        self.assertOutput(
+            err,
+            "is located outside of the base path component",
+        )
+
     def test_custom_project_template_from_tarball_by_url_django_user_agent(self):
         user_agent = None
author	ar3ph <192461522+ar3ph@users.noreply.github.com>	2026-04-27 21:20:49 +0000
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-06-09 11:52:09 -0400
commit	46c5e76f0bcc76bfce19ad7ba07f716fc653a822 (patch)
tree	f13bbad8e285cf245f2fa4044f5cb8c311b78b27 /tests/admin_scripts/tests.py
parent	beb40ed1d2b0503814591a37b08ecbd71f2ff729 (diff)