Improve security of tarfile extraction addressed by PEP 706

See PEP 706 - Filter for tarfile.extractall (https://peps.python.org/pep-0706/)

Python 3.12 report this as warning:
Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior

Fixes buildbot#7294

master/buildbot/process/remotetransfer.py

@@ -126,7 +126,10 @@ def remote_unpack(self):
 
         # Unpack archive and clean up after self
         with tarfile.open(name=self.tarname, mode=mode) as archive:
-            archive.extractall(path=self.destroot)
+            if hasattr(tarfile, 'data_filter'):
+                archive.extractall(path=self.destroot, filter='data')
+            else:
+                archive.extractall(path=self.destroot)
         os.remove(self.tarname)
 
 

master/buildbot/test/integration/test_upgrade.py

@@ -77,7 +77,10 @@ def setUpUpgradeTest(self):
             with tarfile.open(tarball) as tf:
                 prefixes = set()
                 for inf in tf:
-                    tf.extract(inf)
+                    if hasattr(tarfile, 'data_filter'):
+                        tf.extract(inf, filter='data')
+                    else:
+                        tf.extract(inf)
                     prefixes.add(inf.name.split('/', 1)[0])
 
             # (note that tf.extractall isn't available in py2.4)

newsfragments/tarfile-pep706.bugfix

@@ -0,0 +1 @@
+Improved security of tarfile extraction to help avoid CVE-2007-4559. See more details in https://peps.python.org/pep-0706/. Buildbot uses filter='data' now. (:issue:`7294`)