S3 Tables: validate ARN namespace to prevent path traversal

- Enforce validation on decoded namespace in parseTableFromARN.
- Ensures path components are safe after URL unescaping.

weed/s3api/s3tables/utils.go

@@ -43,6 +43,11 @@ func parseTableFromARN(arn string) (bucketName, namespace, tableName string, err
 		return "", "", "", fmt.Errorf("invalid namespace encoding in ARN: %v", err)
 	}
 
+	_, err = validateNamespace([]string{namespaceUnescaped})
+	if err != nil {
+		return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err)
+	}
+
 	return matches[1], namespaceUnescaped, matches[3], nil
 }