Re: No need for path games
I agree, when extracting a tarball from a not 100% trustworthy source you have to know it can overwrite anything accessible to the user running it.
If you need it to only access stuff inside directory other than / you can use chroot.
Assuming python (or tar or whatever) will behave like it was in a chrooted environment is just a wrong assumption and not a python problem.
While that ../ path squashing might be unexpected and considered weird by some it shouldn't be a security problem.
Biting the hand that feeds IT
