Due to CVE-2020-29488 (bug 1170644), Percona XtraBackup is modifying how
xbstream handles absolute paths to prevent malicious file injections. Like the
tar archiving utility, the new behavior removes the leading ���������/��������� character and
references to the parent directory.

Fixes are available in Percona XtraBackup versions:

>= 2.4.22

>= 8.0.23-16.0

For example, ../../../d1/../d2/h.txt will be saved in the stream with the
relative path ./d2/h.txt.

The updated function provides a warning when creating a stream with a file with
an absolute path:

$ xbstream -c /tmp/data

xbstream: Removing leading '/' from member names

The function also will not extract files with absolute paths:

$ cat a.xb | xbstream -x -C  ./restore

xbstream: absolute path not allowed: /tmp/bar.txt

Note: a stream can contain an absolute path if created with an older version of
xbstream or if the following parameter is used:

    -P, --absolute-names

Be aware of the following:

Scripts that call xbstream to store the path/file in an absolute path will
strip the leading ���������/��������� and references to ���������../���������. This action could cause an
unexpected result.

Extracting older formatted binaries which do contain the leading ���������/���������  and
path/file produce an error message and are not extracted.



https://www.percona.com/blog/2021/03/23/cve-2020-29488-changes-in-how-absolute-paths-are-handled-in-percona-xtrabackup-xbstream/