CVE-2021-22922: Wrong content via metalink not discarded

## Summary: When compiled `--with-libmetalink` and used with `--metalink` curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is. Since curl implements the hash validation and reports incorrect hashes there might be an expectation that files with incorrect hashes would not be kept either. Since the metalink can be used with insecure protocols such as http and ftp, the hash validation might be used an actual way to verify the download integrity against tampering. ## Steps To Reproduce: 1.Configure libcurl `--with-libmetalink` and build libcurl 2. Have metalinktest.xml with `<file name="testfile">` containing incorrect sha-256 hash for it. 3. Execute: `curl --metalink https://testsite/metalinktest.xml` The following message will be displayed: `Metalink: validating (testfile) [sha-256] FAILED (digest mismatch)` Yet, the downloaded file `testfile` with incorrect hash mismatch is kept. ## Fix It might be more sensible to download the file to a temporary name first, verify the hash and only then store the file to final name if the hash is correct. If hash mismatch is found remove the temporary file. ## Impact Modified or tampered files are kept and possibly incorrectly assumed valid