diff options
| author | Jason R. Coombs <jaraco@jaraco.com> | 2019-01-20 21:31:39 -0500 |
|---|---|---|
| committer | Jason R. Coombs <jaraco@jaraco.com> | 2019-01-20 21:33:53 -0500 |
| commit | 1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7 (patch) | |
| tree | 6198961b49558cb82c05fe634c670b7edc041f3c /pkg_resources/__init__.py | |
| parent | 20f38687bbcf0e668902d37d51023f1fddc55273 (diff) | |
| download | external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.tar.gz external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.tar.bz2 external_python_setuptools-1b935caf64fc8f3eb72c7ee8c05a221f7ca9d9b7.zip | |
Also disallow leading '/' in resource paths. Ref #1635.
Diffstat (limited to 'pkg_resources/__init__.py')
| -rw-r--r-- | pkg_resources/__init__.py | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/pkg_resources/__init__.py b/pkg_resources/__init__.py index a3f1c56f..37222720 100644 --- a/pkg_resources/__init__.py +++ b/pkg_resources/__init__.py @@ -1489,7 +1489,7 @@ class NullProvider: >>> warned.clear() >>> vrp('/foo/bar.txt') >>> bool(warned) - False + True >>> vrp('foo/../../bar.txt') >>> bool(warned) True @@ -1498,11 +1498,14 @@ class NullProvider: >>> bool(warned) False """ - invalid = '..' in path.split('/') + invalid = ( + '..' in path.split('/') or + path.startswith('/') + ) if not invalid: return - msg = "Use of .. in a resource path is not allowed." + msg = "Use of .. or leading '/' in a resource path is not allowed." # for compatibility, warn; in future # raise ValueError(msg) warnings.warn( |