mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-19 03:08:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Refs #36588 -- Warned about using external templates in startapp/startproject commands.
Some checks are pending
Docs / spelling (push) Waiting to run
Details
Docs / blacken-docs (push) Waiting to run
Details
Docs / lint-docs (push) Waiting to run
Details
Linters / flake8 (push) Waiting to run
Details
Linters / isort (push) Waiting to run
Details
Linters / black (push) Waiting to run
Details
Tests / Windows, SQLite, Python 3.13 (push) Waiting to run
Details
Tests / JavaScript tests (push) Waiting to run
Details

Browse source 
Clarified that custom templates provided via `--template` for `starapp`
and `startproject` are used as-is, adding a warning that malicious or
poorly constructed templates may introduce security issues.
This commit is contained in:
Jake Howard 2025-09-04 11:53:51 +01:00 committed by nessita
parent c595af6545
commit 4e7a991c12
1 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/ref/django-admin.txt
View file

@ -1319,6 +1319,15 @@ zip files, you can use a URL like:
django-admin startapp --template=https://github.com/githubuser/django-app-template/archive/main.zip myapp django-admin startapp --template=https://github.com/githubuser/django-app-template/archive/main.zip myapp
.. warning::
Templates provided via ``--template`` are used as is. Malicious or poorly
constructed templates may introduce security weaknesses or unintended
behavior. Compressed archives may also consume excessive resources during
extraction, potentially causing crashes or hangs.
Contents of templates should be carefully inspected before use.
.. django-admin-option:: --extension EXTENSIONS, -e EXTENSIONS .. django-admin-option:: --extension EXTENSIONS, -e EXTENSIONS
Specifies which file extensions in the app template should be rendered with the Specifies which file extensions in the app template should be rendered with the
@ -1412,7 +1421,10 @@ For example:
.. django-admin-option:: --template TEMPLATE .. django-admin-option:: --template TEMPLATE
Specifies a directory, file path, or URL of a custom project template. See the Specifies a directory, file path, or URL of a custom project template. See the
:option:`startapp --template` documentation for examples and usage. :option:`startapp --template` documentation for examples and usage. The same
**security considerations** described for ``startapp`` templates apply here:
malicious or poorly constructed templates may introduce weaknesses or consume
excessive resources, and templates should be carefully inspected before use.
.. django-admin-option:: --extension EXTENSIONS, -e EXTENSIONS .. django-admin-option:: --extension EXTENSIONS, -e EXTENSIONS