diff options
| author | Jason R. Coombs <jaraco@jaraco.com> | 2019-01-20 21:31:39 -0500 |
|---|---|---|
| committer | Jason R. Coombs <jaraco@jaraco.com> | 2019-01-20 21:33:53 -0500 |
| commit | 1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7 (patch) | |
| tree | 6198961b49558cb82c05fe634c670b7edc041f3c | |
| parent | 20f38687bbcf0e668902d37d51023f1fddc55273 (diff) | |
| download | external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.tar.gz external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.tar.bz2 external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.zip | |
Also disallow leading '/' in resource paths. Ref #1635.
| -rw-r--r-- | changelog.d/1635.change.rst | 2 | ||||
| -rw-r--r-- | docs/pkg_resources.txt | 5 | ||||
| -rw-r--r-- | pkg_resources/__init__.py | 9 |
3 files changed, 10 insertions, 6 deletions
diff --git a/changelog.d/1635.change.rst b/changelog.d/1635.change.rst index 7227ce0d..7c35dfd1 100644 --- a/changelog.d/1635.change.rst +++ b/changelog.d/1635.change.rst @@ -1 +1 @@ -Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents. Violations of this expectation raise DeprecationWarnings and will become errors. +Resource paths are passed to ``pkg_resources.resource_string`` and similar no longer accept paths that traverse parents or begin with a leading ``/``. Violations of this expectation raise DeprecationWarnings and will become errors. diff --git a/docs/pkg_resources.txt b/docs/pkg_resources.txt index 21aac814..cdc1a5a5 100644 --- a/docs/pkg_resources.txt +++ b/docs/pkg_resources.txt @@ -1132,8 +1132,9 @@ relative to the root of the identified distribution; i.e. its first path segment will be treated as a peer of the top-level modules or packages in the distribution. -Note that resource names must be ``/``-separated paths rooted at the package -and cannot contain relative names like ``".."``. Do *not* use +Note that resource names must be ``/``-separated paths rooted at the package, +cannot contain relative names like ``".."``, and cannot begin with a +leading ``/``. Do *not* use ``os.path`` routines to manipulate resource paths, as they are *not* filesystem paths. diff --git a/pkg_resources/__init__.py b/pkg_resources/__init__.py index a3f1c56f..37222720 100644 --- a/pkg_resources/__init__.py +++ b/pkg_resources/__init__.py @@ -1489,7 +1489,7 @@ class NullProvider: >>> warned.clear() >>> vrp('/foo/bar.txt') >>> bool(warned) - False + True >>> vrp('foo/../../bar.txt') >>> bool(warned) True @@ -1498,11 +1498,14 @@ class NullProvider: >>> bool(warned) False """ - invalid = '..' in path.split('/') + invalid = ( + '..' in path.split('/') or + path.startswith('/') + ) if not invalid: return - msg = "Use of .. in a resource path is not allowed." + msg = "Use of .. or leading '/' in a resource path is not allowed." # for compatibility, warn; in future # raise ValueError(msg) warnings.warn( |