Disallow Windows absolute paths unconditionally with no deprecation p…

…eriod.
pypa · Jan 27, 2019 · 91d769e · 91d769e
1 parent 36a6a8b
commit 91d769e
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/pkg_resources/__init__.py b/pkg_resources/__init__.py
@@ -39,6 +39,8 @@
 import textwrap
 import itertools
 import inspect
+import ntpath
+import posixpath
 from pkgutil import get_importer
 
 try:
@@ -1497,15 +1499,34 @@ def _validate_resource_path(path):
         >>> vrp('foo/f../bar.txt')
         >>> bool(warned)
         False
+
+        Windows path separators are straight-up disallowed.
+        >>> vrp(r'\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
+
+        >>> vrp(r'C:\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
         """
         invalid = (
-            '..' in path.split('/') or
-            path.startswith('/')
+            os.path.pardir in path.split(posixpath.sep) or
+            posixpath.isabs(path) or
+            ntpath.isabs(path)
         )
         if not invalid:
             return
 
-        msg = "Use of .. or leading '/' in a resource path is not allowed."
+        msg = "Use of .. or absolute path in a resource path is not allowed."
+
+        # Aggressively disallow Windows absolute paths
+        if ntpath.isabs(path) and not posixpath.isabs(path):
+            raise ValueError(msg)
+
         # for compatibility, warn; in future
         # raise ValueError(msg)
         warnings.warn(