[](https://www.sqlite.org/src/info?name=586493be0d3a2fc1e6803577d683697dfefc0fb305cc966bb389ce4045cbc19d&ln=6384-6390) reads:
```
static int arExtractCommand(ArCommand *pAr){
const char *zSql1 =
"SELECT "
" ($dir || name),"
" writefile(($dir || name), %s, mode, mtime) "
"FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
" AND name NOT GLOB '*..[/\\]*'";
```
If that last filter condition is meant to block directory traversal attacks, it should probably be:
```
" AND name NOT GLOB '..[/\\]*' AND name NOT GLOB '*[/\\]..[/\\]*'";
```
i.e. separately match `../*` and `*/../*`. Otherwise, valid paths like `And so it begins.../script.txt` will be blocked:
```
$ sqlite3
SQLite version 3.35.5 2021-04-19 18:32:05
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE test(name TEXT);
sqlite> INSERT INTO test VALUES ('And so it begins.../script.txt');
sqlite> SELECT * FROM test WHERE name NOT GLOB '*..[/\]*';
sqlite> SELECT * FROM test WHERE name NOT GLOB '..[/\]*' AND name NOT GLOB '*[/\]..[/\]*';
And so it begins.../script.txt
```