diff --git a/flit_core/flit_core/config.py b/flit_core/flit_core/config.py
index 567638a5..a2b23796 100644
--- a/flit_core/flit_core/config.py
+++ b/flit_core/flit_core/config.py
@@ -608,9 +608,13 @@ def read_pep621_metadata(proj, path) -> LoadedConfig:
                     raise ConfigError(
                         f"License file path ({license_f}) cannot be an absolute path"
                     )
+                if ".." in license_f:
+                    raise ConfigError(
+                        f"License file path ({license_f}) cannot contain '..'"
+                    )
                 if not (path.parent / license_f).is_file():
                     raise ConfigError(f"License file {license_f} does not exist")
-                license_files.add(license_tbl['file'])
+                license_files.add(license_f)
             elif 'text' in license_tbl:
                 pass
             else:
diff --git a/flit_core/tests_core/test_config.py b/flit_core/tests_core/test_config.py
index 98c36cf3..4663cb77 100644
--- a/flit_core/tests_core/test_config.py
+++ b/flit_core/tests_core/test_config.py
@@ -1,4 +1,5 @@
 import logging
+import re
 import sys
 from pathlib import Path
 import pytest
@@ -139,6 +140,14 @@ def test_bad_include_paths(path, err_match):
     ({'version': 1}, r'\bstr\b'),
     ({'license': {'fromage': 2}}, '[Uu]nrecognised'),
     ({'license': {'file': 'LICENSE', 'text': 'xyz'}}, 'both'),
+    (
+        {'license': {'file': '/LICENSE'}},
+        re.escape("License file path (/LICENSE) cannot be an absolute path"),
+    ),
+    (
+        {'license': {'file': '../LICENSE'}},
+        re.escape("License file path (../LICENSE) cannot contain '..'"),
+    ),
     ({'license': {}}, 'required'),
     ({'license': 1}, "license field should be <class 'str'> or <class 'dict'>, not <class 'int'>"),
     # ({'license': "MIT License"}, "Invalid license expression: 'MIT License'"),  # TODO