From 8942672bbd8786162ce66ce33a04a79529965881 Mon Sep 17 00:00:00 2001
From: UladzimirTrehubenka <tregubenko_v_v@tut.by>
Date: Sat, 25 Oct 2025 08:55:14 +0300
Subject: [PATCH] Backport CVE-47273 fix from 78.1.1 to 75.3.2

---
 setuptools/package_index.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 1a6abebcda..e51d51de6d 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -822,6 +822,10 @@ def _download_url(self, url, tmpdir):
 
         filename = os.path.join(tmpdir, name)
 
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
         return self._download_vcs(url, filename) or self._download_other(url, filename)
 
     @staticmethod