gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows

[serhiy-storchaka]

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

• Issue: shutil.unpack_archive() on Windows writes outside extract_dir for ZIP entries with drive-prefixed names #146581

[Shrey-N]

Wasn't os.path.splitroot() introduced in 3.12? if it is backported wouldn't it crash with AttributeError?

[Shrey-N]

Also, the new os.path.pardir check misses backslash based traversals on Linux/macOS.
The old substring check if '..' in name caught these, but the new component based check treats that whole string as a single (but malicious) filename.

[serhiy-storchaka]

Wasn't os.path.splitroot() introduced in 3.12? if it is backported wouldn't it crash with AttributeError?

Backports will be fixed to use equivalent code.

Also, the new os.path.pardir check misses backslash based traversals on Linux/macOS.

Backslash is not a separator on Posix. It is a legal character which has no special meaning.

[Shrey-N]

I believe it’s actually a regression. Currently, shutil uses a substring check which correctly catches and skips these backslash traversals on Linux.

In this PR it switches to a component based check, which removes that existing protection.

So I believe this actually reduces the existing security strictness for non windows users