Sync D7's copy of Archive_Tar with new 1.5.0 release

Thanks for working on this!

Seems like the Archive_Tar class is used for example when using the Update manager to install a new module via UI (or update a module). See the update_manager_install_form() or update_manager_archive_extract() function.

I was able to trigger the Archive_Tar::_dirCheck() when installing the module via UI (using tar.gz archive). It seems like this function is currently setting the 777 permissions in the temporary directory, where the archive is extracted for the first time. Then the Updater::install() or Updater::update() function is copying the directory from temporary filesystem to the correct destination and permissions are corrected to 755 (at least during my limited testing).

Are we aware of any (other) usage in D7 core where the 777 permissions are kept (so that we can explain that in the CR)? Contrib modules can also use this core library differently (extracting code somewhere else), so I agree that we need the CR to describe this behavioral change.

Otherwise the changes looks good to me.

I have drafted a simple CR here: https://www.drupal.org/node/3451526 → (feel free to update if needed).

Otherwise I think this is ready. Adding a tag.

I'm not aware of anywhere else that core might be affected by this, no.

We have some quasi-unit tests (which couldn't be actual unit tests as they involve using e.g. the temp directory which means Drupal has to be somewhat bootstrapped IIRC) in SystemArchiverTest (added in #3102159: Add tests for Archive_Tar → ) if we wanted to add anything specific around this change.

I don't think we specifically need to in this case as we're just mirroring the upstream change, and existing tests cover core's actual usage - I think that's e.g. \UpdateTestUploadCase::testUploadModule which I only found after I'd added the unit(ish) tests mentioned above.

Oh, and draft CR looks good, thanks.

Thanks! Committed and pushed this.