Skip to content

Add additional check for project.license.file#725

Merged
takluyver merged 3 commits intopypa:mainfrom
cdce8p:license-file-check
Mar 1, 2025
Merged

Add additional check for project.license.file#725
takluyver merged 3 commits intopypa:mainfrom
cdce8p:license-file-check

Conversation

@cdce8p
Copy link
Member

@cdce8p cdce8p commented Feb 20, 2025

Closes #724

@cdce8p cdce8p mentioned this pull request Feb 20, 2025
Closed
AA-Turner
AA-Turner reviewed Feb 20, 2025
View reviewed changes
flit_core/flit_core/config.py Outdated
raise ConfigError(
f"License file path ({license_f}) cannot be an absolute path"
)
if ".." in license_f:
Copy link
Contributor

@AA-Turner AA-Turner Feb 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps? Although, normpath just does lexical manipulation and e.g. a/spam/../b might refer to a symlink.

Suggested change
if ".." in license_f:
if ".." in os.path.normpath(license_f):

Copy link
Contributor

@AA-Turner AA-Turner Feb 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or actually, as e.g. a file might be named a..b. I think backslashes are prohibited?

Suggested change
if ".." in license_f:
if ".." in license_f.split('/'):

Copy link
Member Author

@cdce8p cdce8p Feb 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps? Although, normpath just does lexical manipulation and e.g. a/spam/../b might refer to a symlink.

Technically, yes. Although I'm not sure it's worth the effort. Same for file names which contain ...
For the overwhelming majority, checking if ".." in license_f: to provide a better error message should be enough.

Copy link
Member

@takluyver takluyver Feb 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the check we do for paths in the sdist include/exclude lists:

flit/flit_core/flit_core/config.py

Lines 239 to 249 in 5f8c75f

normp = osp.normpath(p)
if isabs_ish(normp):
raise ConfigError(
f'{clude} pattern {p!r} is an absolute path'
)
if normp.startswith('..' + os.sep):
raise ConfigError(
'{} pattern {!r} points out of the directory containing pyproject.toml'
.format(clude, p)
)

I can't think of a use case for a path like foo/../bar (which will normalise to just bar), but it is currently allowed in that case. Whatever we do, I'd like it to be consistent across all the places where a relative path is specified.

@cdce8p cdce8p force-pushed the license-file-check branch from b9e7333 to 5f5982b Compare February 20, 2025 11:42
AA-Turner
AA-Turner approved these changes Feb 22, 2025
View reviewed changes
@takluyver takluyver added the bug label Mar 1, 2025
@takluyver takluyver added this to the 3.12 milestone Mar 1, 2025
@takluyver takluyver merged commit 8d5ec8c into pypa:main Mar 1, 2025
16 checks passed
@takluyver
Copy link
Member

takluyver commented Mar 1, 2025

Thanks!

@cdce8p cdce8p deleted the license-file-check branch March 1, 2025 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@takluyver takluyver takluyver left review comments

+1 more reviewer

@AA-Turner AA-Turner AA-Turner approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

3.12

Development

Successfully merging this pull request may close these issues.

license.file failure in flit-core 3.11

3 participants

@cdce8p @takluyver @AA-Turner