Use safe replacement / check for abuse for tarfile.extractall()
See https://github.com/dumux/dumux/pull/1
This is a well-known Python tarfile
vulnerability (got some media attention lately):
https://bugs.python.org/issue21109
we could use code from https://pypi.org/project/tarsafe/ (MIT license) to fix this, I would prefer this over https://github.com/dumux/dumux/pull/1 which only checks for one vulnerability.
It's only a problem if someone manages to interfere with the tarballs that we obtain from trusted sources via URLs. But would be good to add the safety checks from https://pypi.org/project/tarsafe/.
We use extractall
in installexternal.py