Comment 9 for bug 894755

Issue looks valid to me - we can't trust what users upload to s3/objectstore

Fix looks fine too - it's a bit odd to open the file twice, but the alternative of doing something like tar_file.fileobj.seek(0) is just too hacky. Also, no attempt is made to explicitly close the file if there's an exception, but that's true of the original untarzip_image() code too

So, yeah - lgtm too