Description
The https://setuptools.readthedocs.io/en/latest/pkg_resources.html ("Basic Resource Access") page claims:
Note that resource names must be /-separated paths and cannot be absolute (i.e. no leading /)
or contain relative names like "..".
Let's see:
>>> pkg_resources.resource_string('multiprocessing', '/__init__.py')
'#\n# Package analogous …
>>> pkg_resources.resource_string('multiprocessing', '../../../../etc/passwd')
'root:x:0:0:root…
I'd say some validation is missing.
Tested on both python2.7 and python3.6, with pkg_resources as in Ubuntu 18.04