Merge pull request #13777 from sethmlarson/commonpath

notatallshaw · web-flow · commit 8e227a9be4fa · 2026-01-30T16:27:57.000-05:00
Use os.path.commonpath() instead of commonprefix()
diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
@@ -0,0 +1 @@
+Use a path-segment prefix comparison, not char-by-char.
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
     abs_directory = os.path.abspath(directory)
     abs_target = os.path.abspath(target)
 
-    prefix = os.path.commonprefix([abs_directory, abs_target])
+    prefix = os.path.commonpath([abs_directory, abs_target])
     return prefix == abs_directory
 
 
diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
@@ -412,6 +412,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
         (("parent/", "parent/sub"), True),
         # Test target outside parent
         (("parent/", "parent/../sub"), False),
+        # Test target sub-string of parent
+        (("parent/child", "parent/childfoo"), False),
     ],
 )
 def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Use a path-segment prefix comparison, not char-by-char.`
Original file line number	Diff line number	Diff line change
`@@ -412,6 +412,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:`
`412`	`412`	`(("parent/", "parent/sub"), True),`
`413`	`413`	`# Test target outside parent`
`414`	`414`	`(("parent/", "parent/../sub"), False),`
	`415`	`+ # Test target sub-string of parent`
	`416`	`+ (("parent/child", "parent/childfoo"), False),`
`415`	`417`	`],`
`416`	`418`	`)`
`417`	`419`	`def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:`