> But the custom filter wouldn't be sound even with the typo fixed, > because str.startswith() and Path.resolve() are wrong tools for the job.
> Anyway, I suspect that cve-bin-tool's extractors for other file formats > are still vulnerable to path traversal, so I wouldn't recommend running > it against untrusted files. `We must first agree that software security is not security software', writes Gary McGraw in the first chapter .. http://swsec.com/press/ra-ieeesp.php
