gh-146581: Use ZipFile.extractall() in shutil for secure ZIP extraction

[Shrey-N]

This PR refactors shutil._unpack_zipfile to use zipfile.ZipFile.extractall() instead of a manual extraction loop. This resolves a directory traversal vulnerability on Windows where archives containing drive prefixed paths for exampleD:/file.txt could write files outside the intended destination directory.

Changes Made

• Replaced manual path joining and validation with ZipFile.extractall(), which leverages the zipfile module
• Updated the _unpack_zipfile signature to accept **kwargs. This ensures compatibility with the filter argument, preventing TypeError while allowing future filter support for ZIP files.
• This change brings ZIP extraction in line with how shutil handles TAR files, which already uses extractall().

Regression Test

Added a new test case test_unpack_zipfile_traversal_windows_drive to Lib/test/test_shutil.py. This test specifically verifies that a ZIP file containing a drive prefixed path is safely sanitized and extracted within the intended extract_dir on Windows.

Linked Issue

#146581

• Issue: shutil.unpack_archive() on Windows writes outside extract_dir for ZIP entries with drive-prefixed names #146581

[StanFromIreland]

Closing in favour of #146591

[serhiy-storchaka]

Thank you for your PR, @Shrey-N, but we already discussed this issue and created a solution. #146591 is in general similar to your PR, but includes results of that discussion.

[Shrey-N]

Thank you for the update @serhiy-storchaka. I am glad to see the fix landing via #146591 :)