From 46c5e76f0bcc76bfce19ad7ba07f716fc653a822 Mon Sep 17 00:00:00 2001 From: ar3ph <192461522+ar3ph@users.noreply.github.com> Date: Mon, 27 Apr 2026 21:20:49 +0000 Subject: Fixed #36900 -- Used safe_join() on downloaded template archive. --- tests/admin_scripts/tests.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'tests/admin_scripts/tests.py') diff --git a/tests/admin_scripts/tests.py b/tests/admin_scripts/tests.py index 819ba931d6..3eb7b97c99 100644 --- a/tests/admin_scripts/tests.py +++ b/tests/admin_scripts/tests.py @@ -2778,6 +2778,21 @@ class StartProject(LiveServerTestCase, AdminScriptTestCase): self.assertTrue(os.path.isdir(testproject_dir)) self.assertTrue(os.path.exists(os.path.join(testproject_dir, "run.py"))) + def test_custom_project_template_from_tarball_by_url_bad_filename(self): + """ + The startproject management command will raise SuspiciousFileOperation + on an ill-formed remote template archive filename. + """ + template_url = "%s/bad_template_filename.tgz" % self.live_server_url + + args = ["startproject", "--template", template_url, "urltestproject"] + + out, err = self.run_django_admin(args) + self.assertOutput( + err, + "is located outside of the base path component", + ) + def test_custom_project_template_from_tarball_by_url_django_user_agent(self): user_agent = None -- cgit v1.3