--- /dev/null
+#! /bin/sh
+###
+### Fetch an archive, and unpack it into a directory in a safe manner.
+
+set -e
+
+## Parse the command line.
+case $# in
+ 3) ;;
+ *) echo >&2 "usage: $0 DIR LABEL URL"; exit 1 ;;
+esac
+dir=$1 label=$2 url=$3
+cd "$dir"
+
+## Fetch the archive.
+rm -rf tmp; mkdir tmp
+curl -s -o tmp/"$label.tar.gz" "$url"
+
+## Check the archive for unpleasantness. The GNU and FreeBSD versions of
+## tar(1) do something vaguely sensible with `..' components in the pathnames
+## of archive members. (Specifically, FreeBSD simply ignores the affected
+## members; GNU strips leading components in a bizarre way.) But OpenBSD
+## gets a special security award for cheerily following the `..' components.
+## So we have to do this complicated laundering thing.
+##
+## The archive ought to unpack everything into a single directory and not
+## contain anythig weird. So check. Actually, this won't catch newlines in
+## member names, so we'll have to be careful about those. The regular
+## expression insists that everything be in a single directory identified by
+## the LABEL, and that the rest of the name contains no two adjacent dots.
+## We use the LABEL as part of an ERE, so it ought not contain bad things.
+if
+ tar tzf tmp/"$label.tar.gz" |
+ grep -Ev "^$label/([^.]+|\.[^.])*$" >&2
+then
+ echo >&2 "$0: archive has bad member pathnames"
+ exit 1
+fi
+
+## Unpack the archive now that we know it's safe.
+(cd tmp; tar xzf "$label.tar.gz")
+
+## Replace any existing tree with the new one.
+rm -rf "$label"
+mv tmp/"$label" .
+rm -rf tmp