Why this matters
The bug. Anywhere user-controlled text becomes part of a filesystem path, expect ... The chmod line on the next line is also affected — ownership of /etc/shadow could change to whatever this archive's perms are.
The fix. basename strips the directory component and any traversal. Better still: enforce an allowlist of filenames matching [A-Za-z0-9._-]+.
Defense in depth. Run the upload handler as a user that can't read system files. chroot or container-isolate the upload directory.
Review heuristic
Whenever filesystem path concatenation meets a request value, verify there's a containment check on the resolved absolute path. The check has to come after normalization and has to fail closed (reject by default), not by string-stripping ...
External reference: CWE-22: Path Traversal.
↳ CWE-22.