Hmm, I think the _path_within_fs() check needs to be called for all injected files, as one could upload an image with symlinks in various places to get back to the host.
For example if /root/.ssh in the image was a symlink to ../../../../../root/.ssh then you'd be injecting keys to the host authorized_keys file
Hmm, I think the _path_within_fs() check needs to be called for all injected files, as one could upload an image with symlinks in various places to get back to the host.
For example if /root/.ssh in the image was a symlink to ../../. ./../.. /root/. ssh then you'd be injecting keys to the host authorized_keys file