File CVE-2026-1703.patch of Package python-pip.42559

From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 30 Jan 2026 09:49:11 -0600
Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()

---
 news/+1ee322a1.bugfix.rst            | 1 +
 src/pip/_internal/utils/unpacking.py | 2 +-
 tests/unit/test_utils_unpacking.py   | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 news/+1ee322a1.bugfix.rst

Index: pip-10.0.1/news/+1ee322a1.bugfix.rst
===================================================================
--- /dev/null
+++ pip-10.0.1/news/+1ee322a1.bugfix.rst
@@ -0,0 +1 @@
+Use a path-segment prefix comparison, not char-by-char.
Index: pip-10.0.1/src/pip/_internal/utils/misc.py
===================================================================
--- pip-10.0.1.orig/src/pip/_internal/utils/misc.py
+++ pip-10.0.1/src/pip/_internal/utils/misc.py
@@ -73,6 +73,19 @@ except ImportError:
     logger.debug('lzma module is not available')
 
 
+def is_within_directory(directory, target):
+    # type: ((Union[str, Text]), (Union[str, Text])) -> bool
+    """
+    Return true if the absolute path of target is within the directory
+    """
+
+    abs_directory = os.path.abspath(directory)
+    abs_target = os.path.abspath(target)
+
+    prefix = os.path.commonpath([abs_directory, abs_target])
+    return prefix == abs_directory
+
+
 def import_or_raise(pkg_or_module_string, ExceptionType, *args, **kwargs):
     try:
         return __import__(pkg_or_module_string)
@@ -467,6 +480,12 @@ def unzip_file(filename, location, flatt
                 fn = split_leading_dir(name)[1]
             fn = os.path.join(location, fn)
             dir = os.path.dirname(fn)
+            if not is_within_directory(location, fn):
+                raise InstallationError(
+                    'The zip file (%s) has a file (%s) trying to install '
+                    'outside target directory (%s)' %
+                    (filename, fn, location)
+                )
             if fn.endswith('/') or fn.endswith('\\'):
                 # A directory
                 ensure_dir(fn)
@@ -525,6 +544,12 @@ def untar_file(filename, location):
             if leading:
                 fn = split_leading_dir(fn)[1]
             path = os.path.join(location, fn)
+            if not is_within_directory(location, path):
+                raise InstallationError(
+                    'The tar file (%s) has a file (%s) trying to install '
+                    'outside target directory (%s)' %
+                    (filename, path, location)
+                )
             if member.isdir():
                 ensure_dir(path)
             elif member.issym():