File: CVE-2025-47273.patch

package info (click to toggle)
setuptools 66.1.1-1%2Bdeb12u2
  • links: PTS
  • area: main
  • in suites: bookworm
  • size: 9,600 kB
  • sloc: python: 59,925; ansic: 196; makefile: 84; xml: 14
file content (13 lines) | stat: -rw-r--r-- 414 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
 
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -829,6 +829,10 @@
 
         filename = os.path.join(tmpdir, name)
 
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
         return self._download_vcs(url, filename) or self._download_other(url, filename)
 
     @staticmethod