Fixed skipping extraction of files or directories containing '..' in

their names.

--HG--
branch : setuptools-0.6
extra : convert_revision : svn%3A6015fed2-1504-0410-9fe1-9d1591cc4771/sandbox/branches/setuptools-0.6%4088795

2 files changed, 8 insertions, 2 deletions

diff --git a/EasyInstall.txt b/EasyInstall.txt
index 91b6cc17..753baf65 100755
--- a/EasyInstall.txt
+++ b/EasyInstall.txt
@@ -1235,6 +1235,12 @@ Release Notes/Change History
 
  * Support user/password credentials in Subversion (svnserve) URLs
 
+ * Fixed problems accessing /dev/null inside the script sandbox, and the sandbox
+   swapping the ``open`` and file`` builtins.
+
+ * Fixed skipping extraction of files or directories containing '..' in their
+   names
+
 0.6c11
  * Fix installed script .exe files not working with 64-bit Python on Windows
    (wasn't actually released in 0.6c10 due to a lost checkin)
diff --git a/setuptools/archive_util.py b/setuptools/archive_util.py
index d26b383b..d44264f8 100755
--- a/setuptools/archive_util.py
+++ b/setuptools/archive_util.py
@@ -138,7 +138,7 @@ def unpack_zipfile(filename, extract_dir, progress_filter=default_filter):
             name = info.filename
 
             # don't extract absolute paths or ones with .. in them
-            if name.startswith('/') or '..' in name:
+            if name.startswith('/') or '..' in name.split('/'):
                 continue
 
             target = os.path.join(extract_dir, *name.split('/'))
@@ -180,7 +180,7 @@ def unpack_tarfile(filename, extract_dir, progress_filter=default_filter):
         for member in tarobj:
             name = member.name
             # don't extract absolute paths or ones with .. in them
-            if not name.startswith('/') and '..' not in name:
+            if not name.startswith('/') and '..' not in name.split('/'):
                 dst = os.path.join(extract_dir, *name.split('/'))
                 while member is not None and (member.islnk() or member.issym()):
                     linkpath = member.linkname