78 - archive.extractall

78 + def is_within_directory(directory, target):
79 +
80 +    abs_directory = os.path.abspath(directory)
81 +    abs_target = os.path.abspath(target)
82 +    
83 +    prefix = os.path.commonprefix([abs_directory, abs_target])
84 +    
85 +    return prefix == abs_directory
86 +    
87 + def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
88 + 
89 +    for member in tar.getmembers():
90 +       member_path = os.path.join(path, member.name)
91 +       if not is_within_directory(path, member_path):
92 +          raise Exception("Attempted Path Traversal in Tar File")
93 +       
94 +    tar.extractall(path, members, numeric_owner=numeric_owner) 
95 +       
96 +       
97 + safe_extract(archive, tempdir)