normpath linkname

user · user · commit 7f2a97991e44 · 2025-08-20T16:28:53.000+08:00
diff --git a/news/13550.bugfix.rst b/news/13550.bugfix.rst
@@ -1,2 +1,2 @@
-Add the _check_link_targetfunction to validate the file pointed to by a symlink. If path traversal 
-is detected, it should raise an InstallationErrorexception, similar to is_within_directory.
+Add the _check_link_targetfunction to validate the file pointed to by a symlink. If path traversal
+is detected, it should raise an InstallationErrorexception, similar to is_within_directory.
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
@@ -261,6 +261,8 @@ def _check_link_target(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> None:
             filter(None, (os.path.dirname(tarinfo.name), tarinfo.linkname))
         )
 
+        linkname = os.path.normpath(linkname)
+
         try:
             tar.getmember(linkname)
         except KeyError:
diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
@@ -239,7 +239,7 @@ def test_unpack_tar_links(self, input_prefix: str, unpack_prefix: str) -> None:
         with open(os.path.join(unpack_dir, "symlink.txt"), "rb") as f:
             assert f.read() == content
 
-    def test_unpack_normal_tar_links_no_data_filter(
+    def test_unpack_normal_tar_link1_no_data_filter(
         self, monkeypatch: MonkeyPatch
     ) -> None:
         """
@@ -274,6 +274,41 @@ def test_unpack_normal_tar_links_no_data_filter(
         with open(os.path.join(extract_path, "normal_symlink"), "rb") as f:
             assert f.read() == b"normal\n"
 
+    def test_unpack_normal_tar_link2_no_data_filter(
+        self, monkeypatch: MonkeyPatch
+    ) -> None:
+        """
+        Test unpacking a normal tar with file containing soft links, but no data_filter
+        """
+        if hasattr(tarfile, "data_filter"):
+            monkeypatch.delattr("tarfile.data_filter")
+
+        tar_filename = "test_tar_links_no_data_filter.tar"
+        tar_filepath = os.path.join(self.tempdir, tar_filename)
+
+        extract_path = os.path.join(self.tempdir, "extract_path")
+
+        with tarfile.open(tar_filepath, "w") as tar:
+            file_data = io.BytesIO(b"normal\n")
+            normal_file_tarinfo = tarfile.TarInfo(name="normal_file")
+            normal_file_tarinfo.size = len(file_data.getbuffer())
+            tar.addfile(normal_file_tarinfo, fileobj=file_data)
+
+            info = tarfile.TarInfo("sub/normal_symlink")
+            info.type = tarfile.SYMTYPE
+            info.linkpath = ".." + os.path.sep + "normal_file"
+            tar.addfile(info)
+
+        untar_file(tar_filepath, extract_path)
+
+        assert os.path.islink(os.path.join(extract_path, "sub", "normal_symlink"))
+
+        link_path = os.readlink(os.path.join(extract_path, "sub", "normal_symlink"))
+        assert link_path == ".." + os.path.sep + "normal_file"
+
+        with open(os.path.join(extract_path, "sub", "normal_symlink"), "rb") as f:
+            assert f.read() == b"normal\n"
+
     def test_unpack_evil_tar_link1_no_data_filter(
         self, monkeypatch: MonkeyPatch
     ) -> None:

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,8 @@ def _check_link_target(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> None:`
`261`	`261`	`filter(None, (os.path.dirname(tarinfo.name), tarinfo.linkname))`
`262`	`262`	`)`
`263`	`263`
	`264`	`+ linkname = os.path.normpath(linkname)`
	`265`	`+`
`264`	`266`	`try:`
`265`	`267`	`tar.getmember(linkname)`
`266`	`268`	`except KeyError:`