Post Syndicated from jzb original https://lwn.net/Articles/1013876/

Damien Neil has written an article for the Go Blog about path
traversal vulnerabilities and the os.Root API added in Go 1.24 to help prevent
them.

Root permits relative path components and symlinks that do not escape
the root. For example, root.Open("a/../b") is permitted. Filenames are
resolved using the semantics of the local platform: On Unix systems,
this will follow any symlink in “a” (so long as that link does not
escape the root); while on Windows systems this will open “b” (even if
“a” does not exist).