Commit 1b935caf authored by Jason R. Coombs's avatar Jason R. Coombs

Also disallow leading '/' in resource paths. Ref #1635.

parent 20f38687
Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents. Violations of this expectation raise DeprecationWarnings and will become errors.
Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents or begin with a leading ``/``. Violations of this expectation raise DeprecationWarnings and will become errors.
......@@ -1132,8 +1132,9 @@ relative to the root of the identified distribution; i.e. its first path
segment will be treated as a peer of the top-level modules or packages in the
distribution.
Note that resource names must be ``/``-separated paths rooted at the package
and cannot contain relative names like ``".."``. Do *not* use
Note that resource names must be ``/``-separated paths rooted at the package,
cannot contain relative names like ``".."``, and cannot begin with a
leading ``/``. Do *not* use
``os.path`` routines to manipulate resource paths, as they are *not* filesystem
paths.
......
......@@ -1489,7 +1489,7 @@ class NullProvider:
>>> warned.clear()
>>> vrp('/foo/bar.txt')
>>> bool(warned)
False
True
>>> vrp('foo/../../bar.txt')
>>> bool(warned)
True
......@@ -1498,11 +1498,14 @@ class NullProvider:
>>> bool(warned)
False
"""
invalid = '..' in path.split('/')
invalid = (
'..' in path.split('/') or
path.startswith('/')
)
if not invalid:
return
msg = "Use of .. in a resource path is not allowed."
msg = "Use of .. or leading '/' in a resource path is not allowed."
# for compatibility, warn; in future
# raise ValueError(msg)
warnings.warn(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment