From 637c30d7a18335062302c7a5dd3a95d10f028c02 Mon Sep 17 00:00:00 2001
From: Baptiste Daroussin <bapt@gandi.net>
Date: Thu, 3 Dec 2015 12:17:47 +0100
Subject: [PATCH 4/4] Ensure the extraction path is actually always in the
 dest_directory

---
 diffoscope/comparators/libarchive.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/diffoscope/comparators/libarchive.py b/diffoscope/comparators/libarchive.py
index ee004b3..0d72c19 100644
--- a/diffoscope/comparators/libarchive.py
+++ b/diffoscope/comparators/libarchive.py
@@ -121,7 +121,9 @@ class LibarchiveContainer(Archive):
         return member_names
 
     def extract(self, member_name, dest_dir):
-        dest_path = '%s%s%s' % (dest_dir, os.sep, member_name)
+        dest_path = os.path.abspath('%s%s%s' % (dest_dir, os.sep, member_name))
+        if not dest_path.startswith(dest_dir):
+            raise KeyError('Bad member name %s', member_name)
         logger.debug('libarchive extracting %s to %s', member_name, dest_path)
         with libarchive.file_reader(self.source.path) as archive:
             for entry in archive:
-- 
2.6.3