Bug report

As the sensational article on bleepingcomputer mentions:
https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/

tarfile.extractall() just extracts everything that is in the tarball. Including stuff like ../../../etc/passwd , which is kind of shady, and exploitable - as the video shows.

This has been reported before:
https://mail.python.org/pipermail/python-dev/2007-August/074290.html
I think the response was: "upstream should fix it". (Meaning: GNU tar)

Eventually, upstream did fix it; tar now throws an error when untarring files with '../' in them:

(base)  %tar -tf tarvuln.tar 
tarvuln/
tarvuln/blu.txt
tarvuln/bla.txt
etc/passwd_notreally
../../etc/passwd_notreally
(base)  %tar -xf tarvuln.tar 
**../../etc/passwd_notreally: Path contains '..'**
tar: Error exit delayed from previous errors.

I suggest tarfile.extractall() is changed so it throws that same error as GNU tar.