Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive

[Chris Lamb]

Ximin Luo wrote:

> this particular scheme might not work so well with large archives
> with lots and lots of members

Mm although unlikely to be a serious problem as we aren't iterating
over the directory. 

> Also, are you sure this doesn't interfere with the detection of
> order-only differences, or the ability to match up
> similar-member-names?

We still use the archive's member name throughout diffoscope; the
unpacked path shouldn't leak outside of that comparator. Also, the
tests pass… *g*


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-