tarfile does not check pathnames or linknames on extraction. This can
lead to data loss or attack scenarios when members with absolute
pathnames or pathnames outside of the archive's scope overwrite or
overlay existing files or directories.

Example for a symlink attack against /etc/passwd:

foo -> /etc
foo/passwd

no change to extract() ?

otherwise looks good to me. if you don't object, i am applying this to
SUSE's python 2.5

In principle I do not object, but this is a preliminary patch. I am
still not happy with the naming of the "check_paths" argument. Also, the
patch was made against the trunk which means that it contains hunks with
the new reStructuredText documentation. Please be patient.

I do not change extract() because it has become more and more a
low-level method over the years, that makes promises it cannot keep and
should not be used at all. I try to discourage its use in the documentation.

After careful consideration and a private discussion with Martin I do no
longer think that we have a security issue here. tarfile.py does nothing
wrong, its behaviour conforms to the pax definition and pathname
resolution guidelines in POSIX. There is no known or possible practical
exploit.

I update the documentation with a warning, that it might be dangerous to
extract archives from untrusted sources. That is the only thing to be
done IMO.

if that can be considered "official stance", it's fine by me. feel free
to close the bug.

I updated the documentation, r57764 (trunk) and r57765 (2.5).