diff --git a/bin/ansible-galaxy b/bin/ansible-galaxy
index 946f7f429a7..0d173321fc9 100755
--- a/bin/ansible-galaxy
+++ b/bin/ansible-galaxy
@@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
         # verify the role's meta file
         meta_file = None
         members = role_tar_file.getmembers()
+        # next find the metadata file
         for member in members:
             if "/meta/main.yml" in member.name:
                 meta_file = member
@@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):
 
             # now we do the actual extraction to the role_path
             for member in members:
-                # we only extract files
+                # we only extract files, and remove any relative path
+                # bits that might be in the file for security purposes
+                # and drop the leading directory, as mentioned above
                 if member.isreg():
-                    member.name = "/".join(member.name.split("/")[1:])
+                    parts = member.name.split("/")[1:]
+                    final_parts = []
+                    for part in parts:
+                        if part != '..' and '~' not in part and '$' not in part:
+                            final_parts.append(part)
+                    member.name = os.path.join(*final_parts)
                     role_tar_file.extract(member, role_path)
 
             # write out the install info file for later use