Add a check to ensure the name resolves relative to the tmpdir.

jaraco · jaraco · commit 250a6d17978f · 2025-04-19T13:03:47.000-04:00
Closes #4946
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
@@ -810,12 +810,20 @@ def open_url(self, url, warning=None):  # noqa: C901  # is too complex (12)
     @staticmethod
     def _resolve_download_filename(url, tmpdir):
         """
+        >>> import pathlib
         >>> du = PackageIndex._resolve_download_filename
         >>> root = getfixture('tmp_path')
         >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
-        >>> import pathlib
         >>> str(pathlib.Path(du(url, root)).relative_to(root))
         'setuptools-78.1.0.tar.gz'
+
+        Ensures the target is always in tmpdir.
+
+        >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
+        >>> du(url, root)
+        Traceback (most recent call last):
+        ...
+        ValueError: Invalid filename...
         """
         name, _fragment = egg_info_for_url(url)
         if name:
@@ -827,7 +835,13 @@ def _resolve_download_filename(url, tmpdir):
         if name.endswith('.egg.zip'):
             name = name[:-4]  # strip the extra .zip before download
 
-        return os.path.join(tmpdir, name)
+        filename = os.path.join(tmpdir, name)
+
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
+        return filename
 
     def _download_url(self, url, tmpdir):
         """
