Modpack format path warning does not cover all possible bad paths on windows

[SilverAndro]

Going off of https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats the given warning on https://docs.modrinth.com/docs/modpacks/format_definition/#path that says to "make sure it doesn't contain .. or start with a drive name (i.e., [A-Z]:/, [A-Z]:\, and /).", If implemented at face value, would still result in multiple bad file paths being permitted such as:

• \Program Files\Custom Utilities\StringFinder.exe: A relative path from the root of the current drive.
• \\system07\C$\: The root directory of the C: drive on system07. (A network drive/resource)
• DOS device paths such as \\.\C:\Test\Foo.txt and \\?\C:\Test\Foo.txt
• Paths with ..\

This could be resolved by either adding \ as a disallowed starting character and adding ..\, or promoting normalization checks instead

[Akarys42]

If those paths are accepted by some launcher implementations, this should be escalated to a security advisory (CWE-35: Path transversal)

[SilverAndro]

CWE-22 actually

CWE-35 is covered by the .. restriction as it's specifically about improper normalization and not generic path traversal