Also disallow leading '/' in resource paths. Ref #1635.

changelog.d/1635.change.rst

-Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents. Violations of this expectation raise DeprecationWarnings and will become errors.
+Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents or begin with a leading ``/``. Violations of this expectation raise DeprecationWarnings and will become errors.

docs/pkg_resources.txt

@@ -1132,8 +1132,9 @@ relative to the root of the identified distribution; i.e. its first path
 segment will be treated as a peer of the top-level modules or packages in the
 distribution.
 
-Note that resource names must be ``/``-separated paths rooted at the package
-and cannot contain relative names like ``".."``.  Do *not* use
+Note that resource names must be ``/``-separated paths rooted at the package,
+cannot contain relative names like ``".."``, and cannot begin with a
+leading ``/``.  Do *not* use
 ``os.path`` routines to manipulate resource paths, as they are *not* filesystem
 paths.
 

pkg_resources/__init__.py

@@ -1489,7 +1489,7 @@ class NullProvider:
         >>> warned.clear()
         >>> vrp('/foo/bar.txt')
         >>> bool(warned)
-        False
+        True
         >>> vrp('foo/../../bar.txt')
         >>> bool(warned)
         True
@@ -1498,11 +1498,14 @@ class NullProvider:
         >>> bool(warned)
         False
         """
-        invalid = '..' in path.split('/')
+        invalid = (
+            '..' in path.split('/') or
+            path.startswith('/')
+        )
         if not invalid:
             return
 
-        msg = "Use of .. in a resource path is not allowed."
+        msg = "Use of .. or leading '/' in a resource path is not allowed."
         # for compatibility, warn; in future
         # raise ValueError(msg)
         warnings.warn(