Switch the static files to using a simplified path_is_subdir method from webwork2.

The problem with using `realpath` is that static assets can use symbolic
links.  In fact PG does this with static assets that reside in the same
directory as the problem file by default.  The `realpath` will not be a
subdirectory of the temporary directory in that case.  So `canonpath`
must be used instead.  It does not resolve symbolic links, or even
things like `../` in paths.  Of course the `path_is_subdir` checks those
things.

Author: drgrice1

lib/Renderer/Controller/StaticFiles.pm

@@ -1,11 +1,24 @@
 package Renderer::Controller::StaticFiles;
 use Mojo::Base 'Mojolicious::Controller', -signatures;
 
-use Mojo::File qw(path);
+use Mojo::File            qw(path);
+use File::Spec::Functions qw(canonpath);
+
+sub path_is_subdir ($path, $dir) {
+	return 0 unless $path =~ /^\//;
+
+	$path = canonpath($path);
+	return 0 if $path =~ m#(^\.\.$|^\.\./|/\.\./|/\.\.$)#;
+
+	$dir = canonpath($dir);
+	return 0 unless $path =~ m|^$dir|;
+
+	return 1;
+}
 
 sub reply_with_file_if_readable ($c, $directory, $file) {
 	my $filePath = $directory->child($file);
-	if (-r $filePath && $filePath->realpath =~ /^$directory/) {
+	if (-r $filePath && path_is_subdir($filePath, $directory)) {
 		return $c->reply->file($filePath);
 	} else {
 		return $c->render(data => 'File not found', status => 404);