Skip to content

fix(utils): reject empty project name in parse_wheel_filename/parse_sdist_filename#1305

Merged
brettcannon merged 1 commit into
pypa:mainfrom
r266-tech:fix/parse-filename-empty-project-name
Jun 29, 2026
Merged

fix(utils): reject empty project name in parse_wheel_filename/parse_sdist_filename#1305
brettcannon merged 1 commit into
pypa:mainfrom
r266-tech:fix/parse-filename-empty-project-name

Conversation

@r266-tech

Copy link
Copy Markdown
Contributor

parse_wheel_filename and parse_sdist_filename silently accept a filename whose distribution name is empty and return ("", Version(...)) instead of raising the documented InvalidWheelFilename / InvalidSdistFilename:

>>> from packaging.utils import parse_wheel_filename, parse_sdist_filename
>>> parse_wheel_filename("-1.0-py3-none-any.whl")
('', <Version('1.0')>, (), frozenset({<py3-none-any @ ...>}))
>>> parse_sdist_filename("-1.0.tar.gz")
('', <Version('1.0')>)

An empty name is invalid per the binary/source distribution-format specs, and canonicalize_name(..., validate=True) already rejects it — so the parsers are inconsistent with their own :raises: contract, and callers using them to validate artifact filenames get a silently-empty name instead of a clear parse error.

Fix

  • wheel: _wheel_name_regex used * (zero-or-more), so it matched the empty string and the existing "Invalid project name" branch never fired; change it to +.
  • sdist: add an explicit empty-name guard after the rpartition, before canonicalize_name.

Both raise the parser-specific exception (InvalidWheelFilename / InvalidSdistFilename, both ValueError subclasses) so back-compat holds; valid filenames are unaffected. Regression cases added to the existing empty-component parametrize lists.

Sibling of the empty-tag-component rejection in #1234.

parse_wheel_filename and parse_sdist_filename silently accepted a
filename whose distribution name was empty (e.g. '-1.0-py3-none-any.whl'
or '-1.0.tar.gz') and returned ('', Version(...)) instead of raising the
documented InvalidWheelFilename / InvalidSdistFilename.

An empty name is invalid per the binary/source distribution-format specs
and is already rejected by canonicalize_name(validate=True). Make the
parsers fail fast:

- wheel: _wheel_name_regex used '*' (zero-or-more) so it matched the
  empty string; switch to '+' so the existing 'Invalid project name'
  branch fires.
- sdist: add an explicit empty-name guard after the rpartition, before
  canonicalize_name.

Extends the existing empty-component parametrize lists with regression
cases. Sibling of the empty-tag-component rejection in pypa#1234.
@brettcannon brettcannon merged commit 84833cc into pypa:main Jun 29, 2026
69 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants