From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 19 Apr 2025 12:49:55 -0400 Subject: [PATCH] Extract _resolve_download_filename with test. Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a] CVE: CVE-2025-47273 #Dependency Patch Signed-off-by: Vijay Anusuri --- setuptools/package_index.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/setuptools/package_index.py b/setuptools/package_index.py index 00a972d..d460fcb 100644 --- a/setuptools/package_index.py +++ b/setuptools/package_index.py @@ -815,9 +815,16 @@ class PackageIndex(Environment): else: raise DistutilsError("Download error for %s: %s" % (url, v)) from v - def _download_url(self, url, tmpdir): - # Determine download filename - # + @staticmethod + def _resolve_download_filename(url, tmpdir): + """ + >>> du = PackageIndex._resolve_download_filename + >>> root = getfixture('tmp_path') + >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' + >>> import pathlib + >>> str(pathlib.Path(du(url, root)).relative_to(root)) + 'setuptools-78.1.0.tar.gz' + """ name, fragment = egg_info_for_url(url) if name: while '..' in name: @@ -828,8 +835,13 @@ class PackageIndex(Environment): if name.endswith('.egg.zip'): name = name[:-4] # strip the extra .zip before download - filename = os.path.join(tmpdir, name) + return os.path.join(tmpdir, name) + def _download_url(self, url, tmpdir): + """ + Determine the download filename. + """ + filename = self._resolve_download_filename(url, tmpdir) return self._download_vcs(url, filename) or self._download_other(url, filename) @staticmethod -- 2.25.1