diff options
Diffstat (limited to 'setuptools/config.py')
| -rw-r--r-- | setuptools/config.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/setuptools/config.py b/setuptools/config.py index d8513a72..c2319ed5 100644 --- a/setuptools/config.py +++ b/setuptools/config.py @@ -128,7 +128,10 @@ class ConfigHandler(object): @classmethod def _parse_file(cls, value): """Represents value as a string, allowing including text - from nearest files using include(). + from nearest files using `file:` directive. + + Directive is sandboxed and won't reach anything outside + directory with setup.py. Examples: include: LICENSE @@ -144,7 +147,14 @@ class ConfigHandler(object): if not value.startswith(include_directive): return value + current_directory = os.getcwd() + filepath = value.replace(include_directive, '').strip() + filepath = os.path.abspath(filepath) + + if not filepath.startswith(current_directory): + raise DistutilsOptionError( + '`file:` directive can not access %s' % filepath) if os.path.isfile(filepath): with io.open(filepath, encoding='utf-8') as f: |