Auto merge of #1098 - ranma42:safe-untar, r=brson

Update tar and use new safe unpacking function

The `unpack_in` function automatically handles the creation of the
directories and validates the path name, but it is only available
since version 0.4.11 of the `tar` crate.

This is the rustup side of fixing #1092.

Author: bors

Cargo.lock

@@ -17,7 +17,7 @@ regex = "0.1.41"
 itertools = "0.4.1"
 ole32-sys = "0.2.0"
 url = "1.1.0"
-tar = "0.4.0"
+tar = "0.4.11"
 flate2 = "0.2.9"
 tempdir = "0.3.4"
 walkdir = "0.1.5"

src/rustup-dist/Cargo.toml

@@ -199,7 +199,7 @@ fn unpack_without_first_dir<R: Read>(archive: &mut tar::Archive<R>, path: &Path)
         // Throw away the first path component
         components.next();
         let full_path = path.join(&components.as_path());
-        try!(entry.unpack(&full_path).chain_err(|| ErrorKind::ExtractingPackage));
+        try!(entry.unpack_in(&full_path).chain_err(|| ErrorKind::ExtractingPackage));
     }
 
     Ok(())

src/rustup-dist/src/component/package.rs

@@ -17,7 +17,7 @@ walkdir = "0.1.5"
 flate2 = "0.2.9"
 tempdir = "0.3.4"
 itertools = "0.4.1"
-tar = "0.4.0"
+tar = "0.4.11"
 toml = "0.1.27"
 rustup-utils = { path = "../rustup-utils" }
 sha2 = "0.1.2"