pkg_resources.resource_string allows absolute paths and paths with .. - contrary to docs (original) (raw)

The https://setuptools.readthedocs.io/en/latest/pkg_resources.html ("Basic Resource Access") page claims:

Note that resource names must be /-separated paths and cannot be absolute (i.e. no leading /)
or contain relative names like "..".

Let's see:

>>> pkg_resources.resource_string('multiprocessing', '/__init__.py')
'#\n# Package analogous …

>>> pkg_resources.resource_string('multiprocessing', '../../../../etc/passwd')
'root:x:0:0:root…

I'd say some validation is missing.

Tested on both python2.7 and python3.6, with pkg_resources as in Ubuntu 18.04