Security issue in BasePathFs::RealPath method

With the base path /app:

RealPath("../secret") // not found error, secure
RealPath("../app-secret") // ok, not secure

if !strings.HasPrefix(path, bpath) { - that's the issue, we shouldn't check it like that.
https://github.com/spf13/afero/blob/master/basepath.go#L53-L65

We can use filepath.IsLocal, filepath.Rel or similar methods instead of prefix check.

I drafted a PR, but unfortunately the tests use a TempDir call which adds random postfixes to created folders and thus preventing the attack.

Provide feedback