From 91d769e88f0ae9e5dfce1fb9448864201407b579 Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sun, 27 Jan 2019 11:07:40 -0500
Subject: Disallow Windows absolute paths unconditionally with no deprecation
 period.

---
 pkg_resources/__init__.py | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

(limited to 'pkg_resources')

diff --git a/pkg_resources/__init__.py b/pkg_resources/__init__.py
index b30392fa..dcfa1d08 100644
--- a/pkg_resources/__init__.py
+++ b/pkg_resources/__init__.py
@@ -39,6 +39,8 @@ import tempfile
 import textwrap
 import itertools
 import inspect
+import ntpath
+import posixpath
 from pkgutil import get_importer
 
 try:
@@ -1497,15 +1499,34 @@ class NullProvider:
         >>> vrp('foo/f../bar.txt')
         >>> bool(warned)
         False
+
+        Windows path separators are straight-up disallowed.
+        >>> vrp(r'\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
+
+        >>> vrp(r'C:\\foo/bar.txt')
+        Traceback (most recent call last):
+        ...
+        ValueError: Use of .. or absolute path in a resource path \
+is not allowed.
         """
         invalid = (
-            '..' in path.split('/') or
-            path.startswith('/')
+            os.path.pardir in path.split(posixpath.sep) or
+            posixpath.isabs(path) or
+            ntpath.isabs(path)
         )
         if not invalid:
             return
 
-        msg = "Use of .. or leading '/' in a resource path is not allowed."
+        msg = "Use of .. or absolute path in a resource path is not allowed."
+
+        # Aggressively disallow Windows absolute paths
+        if ntpath.isabs(path) and not posixpath.isabs(path):
+            raise ValueError(msg)
+
         # for compatibility, warn; in future
         # raise ValueError(msg)
         warnings.warn(
-- 
cgit v1.2.3