Skip to content

More pathpattern test cases#388

Merged
jku merged 1 commit into
theupdateframework:mainfrom
jku:more-pathpattern-tests
Jul 1, 2026
Merged

More pathpattern test cases#388
jku merged 1 commit into
theupdateframework:mainfrom
jku:more-pathpattern-tests

Conversation

@jku

@jku jku commented Jun 3, 2026

Copy link
Copy Markdown
Member

No description provided.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the more-pathpattern-tests branch from c6fd3eb to 647de87 Compare June 3, 2026 08:28
wolfv added a commit to wolfv/sigstore-rust that referenced this pull request Jun 3, 2026
Per the TUF spec, PATHPATTERN wildcards use shell-glob semantics: a `*`
matches within a path segment but does not cross `/` (the spec's own
example notes `*.tgz` matches `foo.tgz` but not `targets/foo.tgz`). The
previous code used globset's default options, where `*` spans `/` (like
plain fnmatch), which over-authorizes delegations.

Enable globset's `literal_separator` so `*`/`?` stop at `/`. The current
tuf-conformance delegation tree (`releases/*/*`, `releases/x/*`) already
assumes this and still resolves correctly; this also aligns with the
additional cases in theupdateframework/tuf-conformance#388.

Thanks to @jku for catching this.

Signed-off-by: Wolf Vollprecht <w.vollprecht@gmail.com>
wolfv added a commit to wolfv/sigstore-rust that referenced this pull request Jun 12, 2026
Per the TUF spec, PATHPATTERN wildcards use shell-glob semantics: a `*`
matches within a path segment but does not cross `/` (the spec's own
example notes `*.tgz` matches `foo.tgz` but not `targets/foo.tgz`). The
previous code used globset's default options, where `*` spans `/` (like
plain fnmatch), which over-authorizes delegations.

Enable globset's `literal_separator` so `*`/`?` stop at `/`. The current
tuf-conformance delegation tree (`releases/*/*`, `releases/x/*`) already
assumes this and still resolves correctly; this also aligns with the
additional cases in theupdateframework/tuf-conformance#388.

Thanks to @jku for catching this.

Signed-off-by: Wolf Vollprecht <w.vollprecht@gmail.com>
wolfv added a commit to sigstore/sigstore-rust that referenced this pull request Jun 16, 2026
Per the TUF spec, PATHPATTERN wildcards use shell-glob semantics: a `*`
matches within a path segment but does not cross `/` (the spec's own
example notes `*.tgz` matches `foo.tgz` but not `targets/foo.tgz`). The
previous code used globset's default options, where `*` spans `/` (like
plain fnmatch), which over-authorizes delegations.

Enable globset's `literal_separator` so `*`/`?` stop at `/`. The current
tuf-conformance delegation tree (`releases/*/*`, `releases/x/*`) already
assumes this and still resolves correctly; this also aligns with the
additional cases in theupdateframework/tuf-conformance#388.

Thanks to @jku for catching this.

Signed-off-by: Wolf Vollprecht <w.vollprecht@gmail.com>
@jku

jku commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

I'm merging this: please file an issue if you see a problem later

@jku jku merged commit 1b4b21d into theupdateframework:main Jul 1, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant