Explicitly disallow resource paths starting with single backslash (#4356

)
pypa · May 14, 2024 · e66f94c · e66f94c
2 parents 544b332 + d53bf15
commit e66f94c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/pkg_resources/__init__.py b/pkg_resources/__init__.py
@@ -1604,14 +1604,15 @@ def _validate_resource_path(path):
             os.path.pardir in path.split(posixpath.sep)
             or posixpath.isabs(path)
             or ntpath.isabs(path)
+            or path.startswith("\\")
         )
         if not invalid:
             return
 
         msg = "Use of .. or absolute path in a resource path is not allowed."
 
         # Aggressively disallow Windows absolute paths
-        if ntpath.isabs(path) and not posixpath.isabs(path):
+        if (path.startswith("\\") or ntpath.isabs(path)) and not posixpath.isabs(path):
             raise ValueError(msg)
 
         # for compatibility, warn; in future