Nathaniel's argument against saving without explicit user permission
(Trojan horses) holds for single files, not for archives. An explicit
assumption for archives of this kind is that everything in the archive
is extracted in *relative* to a mother directory specified once in the
multipart/archive header. A user agent can check that filenames used
in auto-extraction are in fact legal and relative, and go back to veto
mode if it detects an attempt to overwrite an existing file. In the
normal case, the user only needs to say 'yes' for the top-level
directory (or give an alternate directory).
This is much better than shar files, where you just have to hope it's
safe.
--Guido van Rossum, CWI, Amsterdam <guido(_at_)cwi(_dot_)nl>
"It has ceased to be"