Replace _check_link_target with is_symlink_target_in_tar​​;

dkjsone · dkjsone · commit dcd1ff5b159d · 2025-08-27T22:06:51.000+08:00
​​Add deprecation note for _untar_without_filter for future removal​
diff --git a/news/13550.bugfix.rst b/news/13550.bugfix.rst
@@ -1,2 +1,2 @@
-Add the _check_link_targetfunction to validate the file pointed to by a symlink. If path traversal
-is detected, it should raise an InstallationErrorexception, similar to is_within_directory.
+Pip will now raise an installation error for a source distribution when it includes a symlink that
+points outside the source distribution archive.
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
@@ -248,36 +248,31 @@ def pip_filter(member: tarfile.TarInfo, path: str) -> tarfile.TarInfo:
         tar.close()
 
 
+def is_symlink_target_in_tar(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> bool:
+    """Check if the file pointed to by the symbolic link is in the tar archive"""
+    linkname = os.path.join(os.path.dirname(tarinfo.name), tarinfo.linkname)
+
+    linkname = os.path.normpath(linkname)
+    if "\\" in linkname:
+        linkname = linkname.replace("\\", "/")
+
+    try:
+        tar.getmember(linkname)
+        return True
+    except KeyError:
+        return False
+
+
 def _untar_without_filter(
     filename: str,
     location: str,
     tar: tarfile.TarFile,
     leading: bool,
 ) -> None:
     """Fallback for Python without tarfile.data_filter"""
-
-    def _check_link_target(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> None:
-        linkname = "/".join(
-            filter(None, (os.path.dirname(tarinfo.name), tarinfo.linkname))
-        )
-
-        linkname = os.path.normpath(linkname)
-
-        try:
-            tar.getmember(linkname)
-        except KeyError:
-            if "\\" in linkname or "/" in linkname:
-                if "\\" in linkname:
-                    linkname = linkname.replace("\\", "/")
-                else:
-                    linkname = linkname.replace("/", "\\")
-                try:
-                    tar.getmember(linkname)
-                except KeyError:
-                    raise KeyError(linkname)
-            else:
-                raise KeyError(linkname)
-
+    # NOTE: This function can be removed once pip requires CPython ≥ 3.12.​
+    # PEP 706 added tarfile.data_filter, made tarfile extraction operations more secure.
+    # This feature is fully supported from CPython 3.12 onward.
     for member in tar.getmembers():
         fn = member.name
         if leading:
@@ -292,14 +287,14 @@ def _check_link_target(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> None:
         if member.isdir():
             ensure_dir(path)
         elif member.issym():
-            try:
-                _check_link_target(tar, member)
-            except KeyError as exc:
+            if not is_symlink_target_in_tar(tar, member):
                 message = (
                     "The tar file ({}) has a file ({}) trying to install "
                     "outside target directory ({})"
                 )
-                raise InstallationError(message.format(filename, member.name, exc))
+                raise InstallationError(
+                    message.format(filename, member.name, member.linkname)
+                )
             try:
                 tar._extract_member(member, path)
             except Exception as exc:
