Add a check to ensure the name resolves relative to the tmpdir

icanhasmath · icanhasmath · commit b70102d18d2b · 2025-08-15T18:13:28.000-05:00
Closes pypa#4946: Security Fix for CVE-2025-47273 From 250a6d1 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" <jaraco@jaraco.com> Date: Sat, 19 Apr 2025 13:03:47 -0400 --- Adapted to integrate into 68.0.0.2 this required the creation of the staticmethod _resolve_download_filename which was not present in this version.
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
@@ -801,10 +801,25 @@ def open_url(self, url, warning=None):  # noqa: C901  # is too complex (12)
             else:
                 raise DistutilsError("Download error for %s: %s" % (url, v)) from v
 
-    def _download_url(self, url, tmpdir):
-        # Determine download filename
-        #
-        name, fragment = egg_info_for_url(url)
+    @staticmethod
+    def _resolve_download_filename(url, tmpdir):
+        """
+        >>> import pathlib
+        >>> du = PackageIndex._resolve_download_filename
+        >>> root = getfixture('tmp_path')
+        >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+        >>> str(pathlib.Path(du(url, root)).relative_to(root))
+        'setuptools-78.1.0.tar.gz'
+
+        Ensures the target is always in tmpdir.
+
+        >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
+        >>> du(url, root)
+        Traceback (most recent call last):
+        ...
+        ValueError: Invalid filename...
+        """
+        name, _fragment = egg_info_for_url(url)
         if name:
             while '..' in name:
                 name = name.replace('..', '.').replace('\\', '_')
@@ -816,6 +831,17 @@ def _download_url(self, url, tmpdir):
 
         filename = os.path.join(tmpdir, name)
 
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
+        return filename
+
+    def _download_url(self, url, tmpdir):
+        """
+        Determine the download filename.
+        """
+        filename = self._resolve_download_filename(url, tmpdir)
         return self._download_vcs(url, filename) or self._download_other(url, filename)
 
     @staticmethod
