backport the fix for CVE-2025-47273 into setuptools v72.1.0.

[Archana-Shinde1]

I tried to backport the CVE-2025-47273 fix into setuptools v72.1.0 by modifying setuptools/package_index.py with the following snippet:

		diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index c24c78376..811faa1f7 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -831,10 +831,32 @@ class PackageIndex(Environment):
         if name.endswith('.egg.zip'):
             name = name[:-4]  # strip the extra .zip before download

-        filename = os.path.join(tmpdir, name)
+        filename = self._resolve_download_filename(url, tmpdir)

         return self._download_vcs(url, filename) or self._download_other(url, filename)

+    def _resolve_download_filename(self, url, tmpdir):
+        """
+        Resolve the target filename for a download safely,
+        ensuring no path traversal outside of tmpdir.
+        """
+        from urllib.parse import urlparse
+        import posixpath
+        import pathlib
+
+        name = posixpath.basename(urlparse(url).path)
+        if not name:
+            raise ValueError(f"Could not determine filename from URL: {url}")
 filename = os.path.join(tmpdir, name)
+        resolved = pathlib.Path(filename).resolve()
+        tmpdir_resolved = pathlib.Path(tmpdir).resolve()
+
+        if not str(resolved).startswith(str(tmpdir_resolved)):
+            raise ValueError(f"Invalid filename resolved outside tmpdir: {resolved}")
+
+        return str(resolved)
+

But I’m running into issues while applying this backport on v72.1.0.

[webknjaz]

It's usually your responsibility to figure out how to resolve conflicts 🤷‍♂️