Reproducing the bug (before the fix) for the symlinking issue
Thank you for working on CVE-2020-11736 :)
(the fix of which is to -- do not extract a file if its parent is a symbolic link to a directory external to the destination -- fixed via 21dfcdbf)
However, just curious, how could I reproduce this particular bug which has been fixed via here?
I've got a directory structure like this:
Does that seem right enough to reproduce? Or d'you have something else in mind?