We only support arcname with one leading '/', but not more. This patch fixes it.

We don't support arcname with '..' well. The default behavior of unzip and 7z is to ignore all '..'. This patch does the same.

Also updated the doc. If there are other security related issues exist, we should revise the doc.

Please review.

What happens when the archive contains both 'foo' and '../foo'? They seem to be extracted at the same place.

$ unzip -l t.zip 
Archive:  t.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        3  01-14-2011 21:11   ../foo
        3  01-14-2011 21:11   foo
---------                     -------
        6                     2 files
[zhigang@localhost tmp]$ unzip -d aa t.zip
Archive:  t.zip
warning:  skipped "../" path component(s) in ../foo
 extracting: aa/foo                  
replace aa/foo? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
 extracting: aa/foo                  


$ 7za x -oaa t.zip 

7-Zip (A) 9.13 beta  Copyright (c) 1999-2010 Igor Pavlov  2010-04-15
p7zip Version 9.13 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: t.zip

file aa/foo
already exists. Overwrite with 
../foo?
(Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? A
Extracting  ../foo
Extracting  foo

Everything is Ok

Files: 2
Size:       6
Compressed: 198

Yes, in zipfile, we just overwrite it. Actually, ZipFile.extract() overwrite existing files already. If we want it more powerful, we can add a 'overwrite' parameter. But turning zipfile a full featured zip/unzip tool needs much more extra work...