[Issue] Validate tar archive extraction paths

[m2-assistant]

This issue is automatically created based on existing pull request: #40821: Validate tar archive extraction paths

---

Summary
Tighten Magento framework TAR extraction so archive entries cannot write outside the configured extraction destination.

The TAR extractor builds output paths by concatenating the destination directory with the archive member name. A crafted member such as ../outside.txt can escape the destination and write elsewhere on disk
during extraction. Symlink entries also lacked target containment checks.

Changes

• Normalize and validate TAR member paths before extraction.
• Reject empty paths, NUL bytes, absolute paths, stream-wrapper paths, Windows drive paths, and . / .. path segments.
• Verify final extraction paths remain under the destination directory.
• Reject symlink targets that resolve outside the destination directory.
• Add regression coverage for traversal and unsafe symlink targets.

Validation

• php -l lib/internal/Magento/Framework/Archive/Tar.php
• php -l lib/internal/Magento/Framework/Test/Unit/ArchiveTest.php
• git diff --check HEAD~1..HEAD
• Local harness confirmed traversal is blocked and a normal nested file still extracts.

Note
I could not run PHPUnit in this clone because vendor/bin/phpunit is not installed.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/AC-17279 is successfully created for this GitHub issue.