Directory loader can escape root directory
From https://discuss.tryton.org/t/uwsgi-is-vulnerable-to-a-directory-traversal-problem-on-2-0-19-1/3780.
Our override of SharedDataMiddleware.get_directory_loader
did include the usage of safe_join
. So it is possible to escape the root directory.