update_pdfium: fix tar vuln false negatives (e. g. '/dest', '/dest2')

https://gist.github.com/Kasimir123/9bdc38f2eac9a19f83ef6cc52c7ce82e?permalink_comment_id=4485787#gistcomment-4485787

Author: mara004

setupsrc/pypdfium2_setup/update_pdfium.py

@@ -8,6 +8,7 @@
 import argparse
 import traceback
 import functools
+import os.path
 from pathlib import Path
 from urllib import request
 from concurrent.futures import ThreadPoolExecutor
@@ -88,11 +89,8 @@ def safe_extract(tar, dest_dir, **kwargs):
 
     dest_dir = dest_dir.resolve()
     for member in tar.getmembers():
-        # if str(dest_dir) != os.path.commonprefix( [dest_dir, (dest_dir/member.name).resolve()] ):
-        # ^ initial @Kasimir123/@TrellixVulnTeam logic, simplified into a one-liner; code below should have same effect
-        # (yes, this also works against absolute paths)
         # if not (dest_dir/member.name).resolve().is_relative_to(dest_dir):  # python >= 3.9
-        if not str( (dest_dir/member.name).resolve() ).startswith( str(dest_dir) ):
+        if str(dest_dir) != os.path.commonprefix( [dest_dir, (dest_dir/member.name).resolve()] ):
             raise RuntimeError("Attempted path traversal in tar archive (probably malicious).")
     tar.extractall(dest_dir, **kwargs)