Security issue in BasePathFs::RealPath method #513
Description
With the base path /app:
RealPath("../secret") // not found error, secure
RealPath("../app-secret") // ok, not secureif !strings.HasPrefix(path, bpath) { - that's the issue, we shouldn't check it like that.
https://github.com/spf13/afero/blob/master/basepath.go#L53-L65
We can use filepath.IsLocal, filepath.Rel or similar methods instead of prefix check.
I drafted a PR, but unfortunately the tests use a TempDir call which adds random postfixes to created folders and thus preventing the attack.