Use absolute /usr/bin/tar to avoid PATH hijack

Call /usr/bin/tar instead of plain "tar" when extracting JDK archives in JdkInstaller to avoid PATH-based hijacking. Adds a comment documenting the change; other ProcessStartInfo settings remain unchanged.

Author: jonathanpeppers

src/Xamarin.Android.Tools.AndroidSdk/JdkInstaller.cs

@@ -461,8 +461,9 @@ async Task ExtractTarGzAsync (string archivePath, string destinationPath, Cancel
 			var escapedArchivePath = archivePath.Replace ("'", "'\\''");
 			var escapedDestinationPath = destinationPath.Replace ("'", "'\\''");
 
+			// Use an absolute path to avoid PATH-based hijacking
 			var psi = new ProcessStartInfo {
-				FileName = "tar",
+				FileName = "/usr/bin/tar",
 				Arguments = $"-xzf '{escapedArchivePath}' -C '{escapedDestinationPath}'",
 				UseShellExecute = false,
 				CreateNoWindow = true,