Date: Mon, 04 May 2026 16:01:10 +0000 From: Tijl Coosemans <tijl@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 644ec0bc04d2 - main - devel/py-installer: Fix destdir problem Message-ID: <69f8c2c6.21bed.679570a3@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by tijl: URL: https://cgit.FreeBSD.org/ports/commit/?id=644ec0bc04d20ec68fa54b1a1c8e4962df52de63 commit 644ec0bc04d20ec68fa54b1a1c8e4962df52de63 Author: Tijl Coosemans <tijl@FreeBSD.org> AuthorDate: 2026-04-26 21:08:44 +0000 Commit: Tijl Coosemans <tijl@FreeBSD.org> CommitDate: 2026-05-04 16:00:40 +0000 devel/py-installer: Fix destdir problem Add a patch based on upstream 8b72cf945bfa (and b5f03f151f0e as prerequisite) that replaces a Path.resolve() call with os.path.abspath() that does not resolve symlinks. This fixes a problem with staging in some ports if the port is already installed. For example, with devel/py-build installed, /usr/local/bin/pyproject-build is a symlink to pyproject-build-3.11 (because of USES=uniquefiles) and if you then build devel/py-build the Path.resolve() call caused pyproject-build to be installed in the stage directory as pyproject-build-3.11. PR: 294631 Approved by: sunpoet --- devel/py-installer/Makefile | 1 + .../files/patch-src_installer_destinations.py | 28 ++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/devel/py-installer/Makefile b/devel/py-installer/Makefile index 3de6a1a55d89..4bd4a88a9de0 100644 --- a/devel/py-installer/Makefile +++ b/devel/py-installer/Makefile @@ -1,5 +1,6 @@ PORTNAME= installer PORTVERSION= 1.0.0 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/devel/py-installer/files/patch-src_installer_destinations.py b/devel/py-installer/files/patch-src_installer_destinations.py new file mode 100644 index 000000000000..1079affcaa6c --- /dev/null +++ b/devel/py-installer/files/patch-src_installer_destinations.py @@ -0,0 +1,28 @@ +Combination of https://github.com/pypa/installer/commit/8b72cf945bfa and +https://github.com/pypa/installer/commit/b5f03f151f0e. +See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294631 and +https://github.com/pypa/installer/issues/325. + +--- src/installer/destinations.py.orig 2026-03-28 15:38:56 UTC ++++ src/installer/destinations.py +@@ -136,8 +136,18 @@ class SchemeDictionaryDestination(WheelDestination): + """Silently overwrite existing files.""" + + def _path_with_destdir(self, scheme: Scheme, path: str) -> Path: +- target_dir = Path(self.scheme_dict[scheme]).resolve() +- file = (target_dir / path).resolve() ++ # See https://docs.python.org/3/library/zipfile.html#zipfile.Path: ++ # When handling untrusted archives, ++ # consider resolving filenames using os.path.abspath() ++ # and checking against the target directory with os.path.commonpath(). ++ # ++ # Attention: Path.absolute() is not sufficient because it does not ++ # normalize, i.e. does not remove "..". ++ # ++ # We want to avoid Path.resolve() because it is significantly slower ++ # than os.path.abspath()! ++ target_dir = Path(os.path.abspath(self.scheme_dict[scheme])) # noqa: PTH100 ++ file = Path(os.path.abspath(target_dir / path)) # noqa: PTH100 + + if not file.is_relative_to(target_dir): + raise ValueError(home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f8c2c6.21bed.679570a3>