Arbritrary file overrides in startproject/app template extraction
|Patch needs improvement:
Note: This was reported as security issue intially by me, but we think that this is more hardening than an actual issue -- if you are downloading untrusted archives the content can be much worse anyways…
The issue here is that tar files (and probably zip files too), can store full and/or relative paths and therefore escape out of the extraction root.
Attached is an initial WIP to show the issue and possible solution.