Safely extract zip or tar using Python

Question

I\'m trying to extract user-submitted zip and tar files to a directory. The documentation for zipfile\'s extractall method (similarly with tarfile\'s extractall) states that

Answer 1

Contrary to the popular answer, unzipping files safely is not completely solved as of Python 2.7.4. The extractall method is still dangerous and can lead to path traversal, either directly or through the unzipping of symbolic links. Here was my final solution which should prevent both attacks in all versions of Python, even versions prior to Python 2.7.4 where the extract method was vulnerable:

import zipfile, os

def safe_unzip(zip_file, extractpath='.'):
    with zipfile.ZipFile(zip_file, 'r') as zf:
        for member in zf.infolist():
            abspath = os.path.abspath(os.path.join(extractpath, member.filename))
            if abspath.startswith(os.path.abspath(extractpath)):
                zf.extract(member, extractpath)

Edited: Fixed variable name clash. Thanks Juuso Ohtonen.