From 0f8482a2a43dee316538034d28a7cb50ba94e6bb Mon Sep 17 00:00:00 2001
From: Marc Mueller <30130371+cdce8p@users.noreply.github.com>
Date: Thu, 20 Feb 2025 11:13:07 +0100
Subject: [PATCH 1/3] Add additional check for project.license.file

---
 flit_core/flit_core/config.py       | 6 +++++-
 flit_core/tests_core/test_config.py | 9 +++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/flit_core/flit_core/config.py b/flit_core/flit_core/config.py
index 567638a5..a2b23796 100644
--- a/flit_core/flit_core/config.py
+++ b/flit_core/flit_core/config.py
@@ -608,9 +608,13 @@ def read_pep621_metadata(proj, path) -> LoadedConfig:
                     raise ConfigError(
                         f"License file path ({license_f}) cannot be an absolute path"
                     )
+                if ".." in license_f:
+                    raise ConfigError(
+                        f"License file path ({license_f}) cannot contain '..'"
+                    )
                 if not (path.parent / license_f).is_file():
                     raise ConfigError(f"License file {license_f} does not exist")
-                license_files.add(license_tbl['file'])
+                license_files.add(license_f)
             elif 'text' in license_tbl:
                 pass
             else:
diff --git a/flit_core/tests_core/test_config.py b/flit_core/tests_core/test_config.py
index 98c36cf3..4663cb77 100644
--- a/flit_core/tests_core/test_config.py
+++ b/flit_core/tests_core/test_config.py
@@ -1,4 +1,5 @@
 import logging
+import re
 import sys
 from pathlib import Path
 import pytest
@@ -139,6 +140,14 @@ def test_bad_include_paths(path, err_match):
     ({'version': 1}, r'\bstr\b'),
     ({'license': {'fromage': 2}}, '[Uu]nrecognised'),
     ({'license': {'file': 'LICENSE', 'text': 'xyz'}}, 'both'),
+    (
+        {'license': {'file': '/LICENSE'}},
+        re.escape("License file path (/LICENSE) cannot be an absolute path"),
+    ),
+    (
+        {'license': {'file': '../LICENSE'}},
+        re.escape("License file path (../LICENSE) cannot contain '..'"),
+    ),
     ({'license': {}}, 'required'),
     ({'license': 1}, "license field should be <class 'str'> or <class 'dict'>, not <class 'int'>"),
     # ({'license': "MIT License"}, "Invalid license expression: 'MIT License'"),  # TODO

From 5f5982be50d242ae7bd6feb85abb77511bae5c7d Mon Sep 17 00:00:00 2001
From: Marc Mueller <30130371+cdce8p@users.noreply.github.com>
Date: Thu, 20 Feb 2025 12:29:02 +0100
Subject: [PATCH 2/3] Use os.path.normpath

---
 flit_core/flit_core/config.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/flit_core/flit_core/config.py b/flit_core/flit_core/config.py
index a2b23796..5bc2c602 100644
--- a/flit_core/flit_core/config.py
+++ b/flit_core/flit_core/config.py
@@ -603,17 +603,19 @@ def read_pep621_metadata(proj, path) -> LoadedConfig:
                     raise ConfigError(
                         "[project.license] should specify file or text, not both"
                     )
-                license_f = license_tbl['file']
+                license_f = osp.normpath(license_tbl['file'])
                 if isabs_ish(license_f):
                     raise ConfigError(
-                        f"License file path ({license_f}) cannot be an absolute path"
+                        f"License file path ({license_tbl['file']}) cannot be an absolute path"
                     )
-                if ".." in license_f:
+                if license_f.startswith('..' + os.sep):
                     raise ConfigError(
-                        f"License file path ({license_f}) cannot contain '..'"
+                        f"License file path ({license_tbl['file']}) cannot contain '..'"
                     )
-                if not (path.parent / license_f).is_file():
-                    raise ConfigError(f"License file {license_f} does not exist")
+                license_p = path.parent / license_f
+                if not license_p.is_file():
+                    raise ConfigError(f"License file {license_tbl['file']} does not exist")
+                license_f = str(license_p.relative_to(path.parent)).replace(osp.sep, "/")
                 license_files.add(license_f)
             elif 'text' in license_tbl:
                 pass

From 6cb7ad49f7dbd29c3eda743364cb285667380909 Mon Sep 17 00:00:00 2001
From: Marc Mueller <30130371+cdce8p@users.noreply.github.com>
Date: Sun, 23 Feb 2025 12:32:12 +0100
Subject: [PATCH 3/3] Use pathlib as_posix()

---
 flit_core/flit_core/config.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/flit_core/flit_core/config.py b/flit_core/flit_core/config.py
index 5bc2c602..6e7e79ef 100644
--- a/flit_core/flit_core/config.py
+++ b/flit_core/flit_core/config.py
@@ -473,7 +473,7 @@ def _license_files_from_globs(project_dir: Path, globs, warn_no_files = True):
             )
         try:
             files = [
-                str(file.relative_to(project_dir)).replace(osp.sep, "/")
+                file.relative_to(project_dir).as_posix()
                 for file in project_dir.glob(pattern)
                 if file.is_file()
             ]
@@ -615,7 +615,7 @@ def read_pep621_metadata(proj, path) -> LoadedConfig:
                 license_p = path.parent / license_f
                 if not license_p.is_file():
                     raise ConfigError(f"License file {license_tbl['file']} does not exist")
-                license_f = str(license_p.relative_to(path.parent)).replace(osp.sep, "/")
+                license_f = license_p.relative_to(path.parent).as_posix()
                 license_files.add(license_f)
             elif 'text' in license_tbl:
                 pass