Add security flags to libarchive extraction to prevent path traversal
(Zip Slip) and absolute path attacks:
- ARCHIVE_EXTRACT_SECURE_NODOTDOT: Block ".." path components
- ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS: Block absolute paths
- ARCHIVE_EXTRACT_SECURE_SYMLINKS: Block symlinks escaping extract dir
This hardens both `cmake -E tar` and `file(ARCHIVE_EXTRACT)` against
malicious archives that attempt to write files outside the intended
extraction directory.
For policy-specific tests, use the version before the policy was
introduced. Otherwise, use 3.5 where possible.
Also, remove `cmake_minimum_required()` and `project()` calls from
individual cases where they are handled by `CMakeLists.txt`.
This allows the Zstd compression-level to be set between 0-19. I've
adjusted some of the tests, and error messages to indicates the selected
algorithm, and min/max of its compression-level.
Fixes: #24160
The two options were concatenated internally for both ARCHIVE_CREATE
and ARCHIVE_EXTRACT. The distinction between files and dirs was not
meaningful. Therefore, replace them with PATHS or PATTERNS
to more accurately describe the way the options are used.
Fixes: #20884
