@cyphar @brauner I tried to first canonicalize the path (resolve symlinks, remove ./ and ../) and then check if the resulting path is still a subpath of the target root. I can see a few ways it differs from these two, but I don't know if those are security issues?
B
