Use safe replacement / check for abuse for tarfile.extractall()
This is a well-known Python
tarfile vulnerability (got some media attention lately):
It's only a problem if someone manages to interfere with the tarballs that we obtain from trusted sources via URLs. But would be good to add the safety checks from https://pypi.org/project/tarsafe/.
extractall in installexternal.py