file_open does not sanitize all cases
The patch from #5808 (closed) did not sanitize all cases. Indeed there is a case where external file could be retrieved if they are stored in a folder next to trytond root starting with the same name but a suffix.
For example: '../trytond_suffix'.
Here is review33191002 that fix it.