Comment 3 for bug 894755

Can you include a test to make sure we actually plug the hole? Include a "malicious" tarball in the tests directory (remember to add it to MANIFEST.in) and run it through this routine.