From fdb969ea8985e571c97f7dd4c34736ce3537eb48 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Tue, 11 Oct 2022 17:44:38 +0200
Subject: [PATCH] explain why extractall is safe to use

---
 scripts/sfx.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/sfx.py b/scripts/sfx.py
index d80576ed..3b731431 100644
--- a/scripts/sfx.py
+++ b/scripts/sfx.py
@@ -269,6 +269,12 @@ def unpack():
         raise Exception(t.format(CKSUM, SIZE, ck, sz))
 
     with tarfile.open(tar, "r:bz2") as tf:
+        # this is safe against traversal
+        # skip 1
+        # since it will never process user-provided data;
+        # the only possible input is a single tar.bz2
+        # which gets hardcoded into this script at build stage
+        # skip 0
         tf.extractall(mine)
 
     os.remove(tar)