Comment 13 for bug 1015531

Hmm, I think the _path_within_fs() check needs to be called for all injected files, as one could upload an image with symlinks in various places to get back to the host.

For example if /root/.ssh in the image was a symlink to ../../../../../root/.ssh then you'd be injecting keys to the host authorized_keys file