...
fullpath need not be canonicalized (see FIO02-C. Canonicalize path names originating from untrusted tainted sources). If the path contains a symbolic link, this routine recursively invokes itself on the linked-to directory and ensures it is also secure. A symbolically linked directory may be secure if both its source and linked-to directory are secure.
...