Disallow Windows absolute paths unconditionally with no deprecation period.

91d769e8 · Jason R. Coombs · 36a6a8bc · 91d769e8
Commit 91d769e8 authored Jan 27, 2019 by Jason R. Coombs
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 3 deletions

pkg_resources/__init__.py pkg_resources/__init__.py +24 -3

No files found.
--- a/pkg_resources/__init__.py
+++ b/pkg_resources/__init__.py
@@ -39,6 +39,8 @@ import tempfile
 import textwrap
 import itertools
 import inspect
+import ntpath
+import posixpath
 from pkgutil import get_importer
 try:
@@ -1497,15 +1499,34 @@ class NullProvider:
        >>> vrp('foo/f../bar.txt')
        >>> bool(warned)
        False
+        Windows path separators are straight-up disallowed.
+        >>> vrp(r'\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
+        >>> vrp(r'C:\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
        """
        invalid = (
-            '..' in path.split('/') or
+            os.path.pardir in path.split(posixpath.sep) or
-            path.startswith('/')
+            posixpath.isabs(path) or
+            ntpath.isabs(path)
        )
        if not invalid:
            return
-        msg = "Use of .. or leading '/' in a resource path is not allowed."
+        msg = "Use of .. or absolute path in a resource path is not allowed."
+        # Aggressively disallow Windows absolute paths
+        if ntpath.isabs(path) and not posixpath.isabs(path):
+            raise ValueError(msg)
        # for compatibility, warn; in future
        # raise ValueError(msg)
        warnings.warn(